{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5282", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-27T16:31:42.141Z", "datePublished": "2025-06-13T03:41:45.148Z", "dateUpdated": "2026-04-08T17:31:17.667Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:17.667Z"}, "affected": [{"vendor": "wptravelengine", "product": "WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts."}], "title": "WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebc8d724-3936-42d8-8850-bc330c5221dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-06-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T19:05:10.269717Z", "id": "CVE-2025-5282", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T19:06:11.826Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-13T19:05:10.269717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T19:05:56.832Z"}}], "cna": {"title": "WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "wptravelengine", "product": "WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-12T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebc8d724-3936-42d8-8850-bc330c5221dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php"}], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:17.667Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5282", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:17.667Z", "dateReserved": "2025-05-27T16:31:42.141Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-13T03:41:45.148Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wptravelengine:wp_travel_engine:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "AC9FBFF5-B7B3-46F2-99B0-393B328EB5D4", "versionEndExcluding": "6.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts."}, {"lang": "es", "value": "El complemento WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n delete_package() en todas las versiones hasta la 6.5.1 incluida. Esto permite que atacantes no autenticados eliminen publicaciones arbitrarias."}], "id": "CVE-2025-5282", "lastModified": "2025-07-10T00:35:40.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-13T04:15:28.983", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebc8d724-3936-42d8-8850-bc330c5221dc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:21:18.309225+00:00", "value": {"mitigation_remediation": ["Update the WP Travel Engine plugin to version 6.5.2 or later, which adds the missing capability check to delete_package().", "If an immediate update is not possible, consider disabling all REST API endpoints that expose deletion functionality for unauthenticated users via .htaccess or a security plugin.", "As a temporary measure, remove or restrict the delete_package() functionality from public access by applying a custom capability filter or using a plugin that blocks unauthorized REST API actions."], "summary": {"action": "Apply Patch", "impact": "Data Loss via Unauthenticated Deletion"}, "threat_synthesis": {"affected_systems": "All installations of the WP Travel Engine plugin up to and including version 6.5.1 are impacted. Users running WordPress with this plugin version should verify their current release; any instance prior to 6.5.2 lacks the necessary authorization guard.\n", "description_and_impact": "The WP Travel Engine \u2013 Tour Booking Plugin for WordPress suffers from a missing capability check in the delete_package() function, allowing attackers without any authentication to delete arbitrary posts. This flaw is a classical Missing Authorization issue (CWE\u2011862) and can result in the loss of tour listings, pricing information, and other critical booking data. The vulnerability directly compromises data integrity and availability for the affected site.\n", "risk_and_exploitability": "With a CVSS score of 7.5, the issue carries high severity. The EPSS score is below 1%, indicating relatively low current exploit probability, and the vulnerability is not currently flagged in the CISA KEV catalog. Nevertheless, the attack path is straightforward: an unauthenticated user can target the REST API endpoint responsible for deletion and trigger post removal with no additional credentials.\n"}}}}, "created": "2026-04-22T01:30:05.233771+00:00", "updated": "2026-04-22T01:30:05.233781+00:00", "vendors": []}