More than 20,000 travel websites built on WordPress have been exposed to serious security risks due to multiple vulnerabilities discovered in the WP Travel Engine plugin, reports the WordPress security plugin Wordfence.

Two critical flaws have been found in the plugin, both rated 9,8 out of 10 on the CVSS severity scale. The vulnerabilities allow unauthenticated attackers (meaning those who do not need to log in) to gain full access to exposed websites.

The first flaw, located in the plugin’s set_user_profile_image function, allows hackers to rename, delete or overwrite key site files, including wp-config.php. 

The second vulnerability, a Local File Inclusion (LFI), can be used through a parameter called “mode,” potentially letting attackers execute malicious PHP code and get access to valuable data.

WordPress Monetization: Top Plugins to Boost Revenue

Recommendations for Protecting your WordPress Site’s Security

These vulnerabilities affect all plugin versions up to 6.6.7, which is widely used by travel agencies and tour operators for managing bookings and packages. Attackers could use this to get around security checks, access private information, or execute code when PHP uploads are allowed and included.

Administrators running WP Travel Engine are advised to: 

  • Update to the latest version immediately
  • Carefully review website permissions;
  • Monitor servers for any suspicious activity.
Register at AffRoom!