CVE-2026-49078: WordPress WP Travel Engine plugin <= 6.7.10 - Other Vulnerability Type vulnerability
Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated integrity-violation vulnerability affects the WP Travel Engine WordPress plugin at version 6.7.10 and below. It is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any remote attacker. Successful exploitation allows an attacker to tamper with or overwrite data managed by the plugin, with no confidentiality or availability impact reported. No fix version has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images containing the WP Travel Engine plugin, including custom-built WordPress images. Any image in a connected registry or CI pipeline running an affected plugin version is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 7.5 (HIGH) and weights it against each environment's configured compliance policy to determine escalation priority. Triage results are routed to the appropriate team inbox within the customer org based on ownership mappings and policy thresholds.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the meantime, findings are surfaced continuously so customers can apply compensating controls while awaiting an upstream patch.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected WordPress installation over the network; no local or physical access is required.
- AuthenticationNot required
No account or credentials of any privilege level are needed to attempt exploitation.
- Victim interactionNot required
Exploitation does not require any action from an administrator or other user of the site.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.
Blast Radius
- An attacker can write or overwrite data managed by the WP Travel Engine plugin, such as trip listings, booking records, or plugin configuration entries.
- Modified records are persisted to the WordPress database, meaning the impact survives page reloads and affects all visitors and administrators who view the altered content.
- Tampered booking or pricing data can directly affect downstream business logic, such as displayed trip costs or reservation details.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49078 is active across all connected environments, matching any image that bundles WP Travel Engine at or below version 6.7.10. Because no upstream patch exists yet, HarborGuard re-evaluates the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and a PR opened against affected workloads the moment a fix version is published. While awaiting an upstream patch, customers can apply compensating controls such as network-policy rules that restrict public HTTP access to the WordPress admin and plugin endpoints, web-application firewall rules targeting the vulnerable request path, or temporary feature-flag gating to disable affected plugin functionality. These mitigations can be documented and tracked as exceptions within each environment's compliance policy in HarborGuard.
- WP Travel Engine / WP Travel Engine≤ 6.7.10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N