How is CVE-2026-49770 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker can send a crafted HTTP request from any remote location without needing LAN or VPN access. Authentication (not-required): No account or session credential of any privilege level is needed; the injection vector is accessible to completely unauthenticated requests. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or administrator of the affected site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-49770?

A successful attacker can read sensitive data from the application, including configuration values, stored credentials, and user records. The attacker can write or modify persisted application data, including plugin settings, user account details, and site content. The attacker can disrupt availability of the affected service, causing crashes or denial of service for site visitors. Depending on the PHP classes loaded by the application (known as a POP chain), the attacker may achieve arbitrary remote code execution on the underlying server.

Back to search

CRITICALCVE-2026-49770Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49770: WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability

Q: What is CVE-2026-49770?

PHP Object Injection is a vulnerability in the WP Travel Engine WordPress plugin affecting all versions up to and including 6.7.12. The flaw is reachable over the network without any authentication, meaning any external attacker can send a crafted request to a vulnerable site. Successful exploitation gives the attacker full read, write, and availability impact over the affected environment, including potential remote code execution depending on the classes available in the application. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

Q: Is CVE-2026-49770 patched?

Because no fix version has been published for CVE-2026-49770, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the WP Travel Engine WordPress plugin affecting all versions up to and including 6.7.12. The flaw is reachable over the network without any authentication, meaning any external attacker can send a crafted request to a vulnerable site. Successful exploitation gives the attacker full read, write, and availability impact over the affected environment, including potential remote code execution depending on the classes available in the application. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-49770 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in both registry scans and CI pipeline checks. Coverage extends to custom-built images that bundle the WP Travel Engine plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (CRITICAL) and weighting it against each environment's compliance policy to prioritize routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-49770, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send a crafted HTTP request from any remote location without needing LAN or VPN access.
AuthenticationNot required
No account or session credential of any privilege level is needed; the injection vector is accessible to completely unauthenticated requests.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator of the affected site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

A successful attacker can read sensitive data from the application, including configuration values, stored credentials, and user records.
The attacker can write or modify persisted application data, including plugin settings, user account details, and site content.
The attacker can disrupt availability of the affected service, causing crashes or denial of service for site visitors.
Depending on the PHP classes loaded by the application (known as a POP chain), the attacker may achieve arbitrary remote code execution on the underlying server.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as CRITICAL (CVSS 9.8) and is matched against all customer images on every scan cycle. Because no upstream fix exists yet, the recommended compensating controls are to isolate affected containers behind a web application firewall rule blocking unsanitized deserialization payloads, apply strict network policy to limit inbound traffic to the WordPress service, and consider feature-flag or plugin-level disabling of the affected input surface if operationally feasible. HarborGuard continuously re-checks the Patchstack advisory feed and will make a patched-image rebuild available the moment a remediated version of WP Travel Engine is released. For customers with auto-remediation enabled, the full rebuild, regression test run, and pull request against affected workloads will be triggered automatically with no manual steps required.

See how HarborGuard automates this

Affected packages

WP Travel Engine / WP Travel Engine
≤ 6.7.12

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified