CVE-2024-30502

CRITICAL NUCLEI

WP Travel Engine < 5.7.9 - Unauthenticated Blind SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-30502. PoCs published by Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-30502, an unauthenticated time-based blind SQL injection vulnerability in WP Travel Engine <= 5.7.9. The exploit includes a Nuclei template (YAML) and a Bash script that automates the attack flow, demonstrating the vulnerability by injecting a SLEEP payload into the email parameter.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.

Exploits (1)

github WORKING POC

by Sechunt3r · shellpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2024-30502

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-30502, an unauthenticated time-based blind SQL injection vulnerability in WP Travel Engine <= 5.7.9. The exploit includes a Nuclei template (YAML) and a Bash script that automates the attack flow, demonstrating the vulnerability by injecting a SLEEP payload into the email parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WP Travel Engine (WordPress plugin) <= 5.7.9

No auth needed

Prerequisites: Target WordPress site with WP Travel Engine plugin <= 5.7.9 · Access to a trip page to extract nonces

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 07, 2026 Full analysis →

Nuclei Templates (1)

WP Travel Engine <= 5.7.9 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/wp-travel-engine/wordpress-wp-travel-engine-plugin-5-7-9-unauth-blind-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0227

EPSS Percentile 80.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

WP Travel Engine/WP Travel Engine < 5.7.9

wptravelengine/wp_travel_engine < 5.8.0

Published Mar 29, 2024

Tracked Since Feb 18, 2026