CVE-2025-5282

HIGH

WP Travel Engine < 6.5.1 - Unauthenticated Arbitrary Post Deletion via delete_package()

Title source: llm

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebc8d724-3936-42d8-8850-bc330c5221dc?source=cve

Scores

CVSS v3 7.5

EPSS 0.0026

EPSS Percentile 17.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

wptravelengine/WP Travel Engine – Tour Booking Plugin – Tour Operator Software < 6.5.1

wptravelengine/wp_travel_engine < 6.5.2

Published Jun 13, 2025

Tracked Since Feb 18, 2026