CVE-2025-5282 – The WP Travel Engine plugin for WordPress has a... (How to Fix)

Q: What is the severity of CVE-2025-5282?

CVE-2025-5282 has a CVSS score of 7.5 (HIGH). The WP Travel Engine plugin for WordPress has an unauthenticated data deletion vulnerability. Attackers can delete arbitrary posts without authentication due to missing capability checks. All WordPress sites using this plugin up to version 6.5.1 are affected.

📋 TL;DR

The WP Travel Engine plugin for WordPress has an unauthenticated data deletion vulnerability. Attackers can delete arbitrary posts without authentication due to missing capability checks. All WordPress sites using this plugin up to version 6.5.1 are affected.

💻 Affected Systems

Products:

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Versions: All versions up to and including 6.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin active.

📦 What is this software?

Wp Travel Engine by Wptravelengine

View all CVEs affecting Wp Travel Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website content destruction with all posts deleted, causing business disruption and data loss.

🟠

Likely Case

Selective deletion of important posts, pages, or custom post types managed by the plugin.

🟢

If Mitigated

No impact if plugin is patched or removed, or if proper web application firewalls block the exploit.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable endpoint can trigger deletion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WP Travel Engine. 4. Click Update Now to version 6.5.2 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the WP Travel Engine plugin until patched.

wp plugin deactivate wp-travel-engine

Web Application Firewall Rule

all

Block requests to the vulnerable REST API endpoint.

Block POST requests to /wp-json/wp-travel-engine/v2/trip/delete-package

🧯 If You Can't Patch

Disable the WP Travel Engine plugin immediately.
Implement strict network segmentation and monitor for deletion attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for WP Travel Engine plugin version 6.5.1 or lower.

Check Version:

wp plugin get wp-travel-engine --field=version

Verify Fix Applied:

Confirm plugin version is 6.5.2 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-json/wp-travel-engine/v2/trip/delete-package from unauthenticated users
Sudden increase in post deletions in WordPress logs

Network Indicators:

Unusual POST requests to WordPress REST API from external IPs
Traffic patterns showing mass deletion attempts

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/wp-travel-engine/v2/trip/delete-package" OR message="*delete_package*")

📊 Metadata

CVE ID: CVE-2025-5282

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

EPSS Score: 0.12% exploit probability (31.5th percentile)

Published: June 13, 2025

Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5282, you might also want to check these: