External risk intelligence

WP Travel Engine PHP Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49770

A critical vulnerability exists in the WP Travel Engine plugin, allowing unauthenticated PHP object injection. This could lead to arbitrary code execution, impacting data confidentiality, integrity, and system availability. The technology is a WordPress plugin, commonly internet-facing. The uncertainty is whether this

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-49770

The vulnerability affects a WordPress plugin, which is typically deployed as part of an internet-facing web application. As a public-facing website component, the attack surface is commonly reachable from the internet in standard real-world deployments.

PCI scan relevance

PCI Relevance for CVE-2026-49770

Yes

CVE-2026-49770 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Unauthenticated PHP Object Injection in WP Travel Engine can lead to unauthorized control of a website and sensitive data exposure, potentially causing PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical security vulnerability has been identified in the WP Travel Engine WordPress plugin, potentially impacting unauthenticated users. This issue could allow for the injection of malicious code, with severe implications for data confidentiality, integrity, and system availability. It is important to confirm if this plugin is in use and assess the associated risk.

  • Unauthenticated code injection in a WordPress plugin.
  • Critical flaw could compromise data and systems.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data to an unauthenticated endpoint within the WP Travel Engine plugin. This could lead to the execution of arbitrary PHP code on the server.

  • No authentication required.
  • Triggered by unauthenticated input.
  • Complete server takeover possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious PHP objects into the system. When supported by the advisory, this could lead to the execution of arbitrary code, potentially impacting the integrity and availability of the affected WordPress site.

  • System data and service behavior could be affected.
  • Exposure can occur via network access.
  • Arbitrary code execution is a realistic consequence.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in WP Travel Engine likely impacts teams responsible for maintaining WordPress sites, including application owners, infrastructure teams, and potentially vendor management if the plugin was sourced externally. The first practical step is to identify all instances of the affected plugin, confirm their exposure to the internet and business criticality, and then prioritize remediation based on the risk assessment.

  • WordPress application owners.
  • Verify plugin reachability and business impact.
  • Plan coordinated remediation.

Frequently asked questions

What is the WP Travel Engine plugin?

WP Travel Engine is a WordPress plugin designed to help travel agencies and tour operators manage bookings, itineraries, and travel packages on their websites. It functions as a specialized extension that adds complex travel-management capabilities to the core WordPress platform, allowing site administrators to process customer data and interact with visitors through a dedicated interface.

What does PHP Object Injection mean for CVE-2026-49770?

This vulnerability falls under the Weakness Class of Deserialization of Untrusted Data (CWE-502). In plain English, the plugin incorrectly processes data sent from a user, treating untrusted input as a trusted object. This flaw allows an attacker to manipulate the program's logic by injecting malicious objects, which can force the server to execute unintended commands or unauthorized code.

How does an attacker trigger this vulnerability?

An attacker triggers this issue by sending specifically crafted, malicious data to an unauthenticated endpoint within the plugin. Because the vulnerability does not require any user account or password, it can be triggered by any remote visitor. Simply accessing the public parts of a website that do not interact with the plugin’s data-handling endpoints will not trigger the vulnerability.

Is my website at risk from this CVE?

According to Halo Surface Signal, this plugin is typically part of an internet-facing web application, making it highly likely to be reachable from the public internet. If you are running an affected version of WP Travel Engine on a public-facing WordPress site, your environment is considered to have an external attack surface, increasing the urgency of your security review compared to internal-only tools.

What steps should I take if I use WP Travel Engine?

Your first step is to inventory all WordPress installations to confirm if the plugin is present and identify which versions are active. Once identified, evaluate the business criticality of those sites and monitor for official updates or guidance from the plugin vendor. Prioritize updating or isolating any instances that are directly accessible to the internet to mitigate the risk of unauthorized code execution.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished