We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WP Travel Engine – Tour Booking Plugin – Tour Operator Software Vulnerability (CVE-2026-2437)

Nick Paliughi
On this page

Security Alert Summary

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is affected by a stored Cross-Site Scripting (XSS) vulnerability in the plugin’s wte_trip_tax shortcode. Insufficient input sanitization and output escaping on user-supplied shortcode attributes allow authenticated attackers with contributor-level access or higher to inject scripts that execute when a user views an affected page.

CVE Details

  • CVE ID: CVE-2026-2437
  • Affected component: WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress
  • Affected versions: All versions up to and including 6.7.5
  • Published: April 4, 2026 at 9:16:20 AM (UTC)
  • Last modified: April 4, 2026 at 9:16:20 AM (UTC)
  • CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Authenticated attacker with contributor-level access or above. Privileges Required: Low. User Interaction: None.
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

This is a stored XSS vulnerability stemming from insufficient input sanitization and output escaping of user-supplied attributes provided to the wte_trip_tax shortcode. When a user with contributor permissions or higher supplies crafted attributes, those values can be stored and later rendered without proper escaping, allowing arbitrary web scripts to run in the context of any user who views the injected page.

The plugin’s custom shortcode implementation is implicated in the handling of these attributes (see the plugin’s custom shortcodes implementation, e.g. includes/class-wp-travel-engine-custom-shortcodes.php as referenced in the advisory). The flaw is not a reflected XSS; injected scripts are stored and executed on page load.

Impact is limited to the actions and data available to users who view the affected pages. The vulnerability does not itself imply full site takeover, but it can be used to perform actions or harvest information available to victims in the context of their accounts.

How This Could Impact Your Website

Consider a site where an external contractor or contributor can edit content using the plugin’s shortcodes. That person could supply a malicious attribute value via the wte_trip_tax shortcode. When internal staff or site administrators view the page, the injected script could run in their browser. Practical consequences include exposure of data available to those users, session token theft, or the display of content that facilitates targeted phishing or social engineering against staff or customers.

If you rely on multiple user roles—site owners, editors, contributors, or external contractors—this type of vulnerability increases the risk that lower-privileged accounts can lead to broader information exposure or targeted attacks. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially for contributors and other low-privilege accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and themes to reduce attack surface.
  • Monitor site activity and logs for unusual behavior or unexpected content changes on pages that use shortcodes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Listeo Core Plugin Vulnerability (CVE-2025-14938)
Next Post
Visitor Traffic Real Time Statistics Plugin Vulnerability (CVE-2026-2936)