CVE-2024-37944 – This stored XSS vulnerability in WP Travel Engi... (How to Fix)

Q: What is the severity of CVE-2024-37944?

CVE-2024-37944 has a CVSS score of 6.5 (MEDIUM). This stored XSS vulnerability in WP Travel Engine allows attackers to inject malicious scripts into web pages that are then executed when other users view those pages. It affects all WordPress sites using WP Travel Engine plugin versions up to 5.9.1. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This stored XSS vulnerability in WP Travel Engine allows attackers to inject malicious scripts into web pages that are then executed when other users view those pages. It affects all WordPress sites using WP Travel Engine plugin versions up to 5.9.1. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

WP Travel Engine WordPress Plugin

Versions: n/a through 5.9.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with WP Travel Engine plugin enabled are vulnerable regardless of configuration.

📦 What is this software?

Wp Travel Engine by Wptravelengine

View all CVEs affecting Wp Travel Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, take over the WordPress site, install backdoors, and compromise all user data including customer information and payment details.

🟠

Likely Case

Attackers steal user session cookies, redirect visitors to malicious sites, deface pages, or perform actions as authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users, preventing execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities are commonly weaponized, though specific exploit details for this CVE are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.9.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-travel-engine/wordpress-wp-travel-engine-tour-booking-plugin-tour-operator-software-plugin-5-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Travel Engine and click 'Update Now'. 4. Verify version is 5.9.2 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable WP Travel Engine plugin until patched

wp plugin deactivate wp-travel-engine

Implement WAF Rules

all

Add XSS protection rules to web application firewall

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use browser security headers like X-XSS-Protection and X-Content-Type-Options

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Travel Engine version

Check Version:

wp plugin get wp-travel-engine --field=version

Verify Fix Applied:

Verify WP Travel Engine version is 5.9.2 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WP Travel Engine endpoints
Script tags in form submissions
Malicious payloads in user input fields

Network Indicators:

Script injection patterns in HTTP requests
Suspicious JavaScript in form data

SIEM Query:

source="*access.log*" AND ("wp-travel-engine" OR "wp_travel_engine") AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2024-37944

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: July 20, 2024

Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37944, you might also want to check these: