WP Travel Engine < 6.5.2 – Missing Authorization to Unauthenticated Arbitrary Post Deletion | CVE 2025-5282 | Plugin Vulnerabilities

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Affects Plugins

wp-travel-engine

Fixed in 6.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebc8d724-3936-42d8-8850-bc330c5221dc

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

c8796da4-ac22-4da4-aaaa-a3a9a187ad3d

Timeline

Publicly Published

2025-06-12 (about 11 months ago)

Added

2025-06-12 (about 11 months ago)

Last Updated

2025-06-13 (about 11 months ago)

Other

Published

Title

Published

2024-10-21

Title

My Wp Brand – Hide menu & Hide Plugin < 1.1.3 - Missing Authorization

Published

2025-12-11

Title

Spoter for Elementor <= 1.04 - Missing Authorization

Published

2024-03-29

Title

DELUCKS SEO < 2.5.5 - Missing Authorization

Published

2025-06-04

Title

InWave Jobs <= 3.5.8 - Missing Authorization

Published

2024-01-31

Title

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_starred()