{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2437", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T23:05:21.861Z", "datePublished": "2026-04-04T08:25:19.379Z", "dateUpdated": "2026-04-08T16:49:49.750Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:49.750Z"}, "affected": [{"vendor": "wptravelengine", "product": "WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46731877-03e1-4552-8993-3b121b457b1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467196/wp-travel-engine/tags/6.7.6/includes/class-wp-travel-engine-custom-shortcodes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-12T23:20:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:44:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:45:50.522581Z", "id": "CVE-2026-2437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:46:00.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:45:50.522581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:45:54.643Z"}}], "cna": {"title": "WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wptravelengine", "product": "WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.7.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-12T23:20:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:44:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46731877-03e1-4552-8993-3b121b457b1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467196/wp-travel-engine/tags/6.7.6/includes/class-wp-travel-engine-custom-shortcodes.php"}], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T08:25:19.379Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2437", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:46:00.544Z", "dateReserved": "2026-02-12T23:05:21.861Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T08:25:19.379Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2437", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T09:16:20.003", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3467196/wp-travel-engine/tags/6.7.6/includes/class-wp-travel-engine-custom-shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46731877-03e1-4552-8993-3b121b457b1b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.7.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Travel Engine \u2013 Tour Booking Plugin \u2013 Tour Operator Software", "source": "cna", "vendor": "wptravelengine"}, "product": "wp_travel_engine_\u2013_tour_booking_plugin_\u2013_tour_operator_software", "vendor": "wptravelengine"}], "analysis": {"en": {"generated_at": "2026-04-04T11:21:10.141226+00:00", "value": {"mitigation_remediation": ["Update WP Travel Engine to version 6.7.6 or later.", "Verify that no malicious scripts remain in content that uses the wte_trip_tax shortcode.", "Restrict or revoke contributor\u2011level access for untrusted users.", "If an immediate update is not feasible, remove or disable the wte_trip_tax shortcode from editable content to prevent script execution."], "summary": {"action": "Patch Now", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "WordPress sites running WP Travel Engine versions up to and including 6.7.5 are affected. Site owners using earlier plugin versions should verify they are using version 6.7.6 or later to eliminate the flaw.", "description_and_impact": "The WP Travel Engine \u2013 Tour Booking Plugin suffers from a stored cross\u2011site scripting vulnerability. Attackers who can authenticate with contributor level or higher can supply arbitrary script code via attributes of the plugin\u2019s wte_trip_tax shortcode. When a user loads a page containing the injected shortcode, the attacker\u2019s script executes in the victim\u2019s browser, allowing theft of session data, cookie hijacking, or other client\u2011side attacks.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.4, indicating moderate severity. External Public Supply Score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Because the attacker requires authenticated contributor access, exploitation likelihood depends on the availability of such accounts and whether the site exposes the affected shortcode in editable content. Once accessed, the stored nature of the payload means the attack can affect any user who views the affected page."}}}}, "created": "2026-04-06T20:27:34.514689+00:00", "updated": "2026-04-06T22:20:53.648682+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wptravelengine", "wptravelengine$PRODUCT$wp_travel_engine_\u2013_tour_booking_plugin_\u2013_tour_operator_software"]}