View Cart
Security

Multiple WordPress vulnerabilities affect 20000+ travel sites

7 min read
Multiple WordPress vulnerabilities affect 20000+ travel sites
blog author
László Kovács

Content Manager, SpaceLama.com

Security researchers have discovered two critical vulnerabilities in the WP Travel Engine plugin, which is used on more than 20000 travel websites worldwide. According to journalist and SEO analyst Roger Monti, who reported the issue in Search Engine Journal, both vulnerabilities received a CVSS score of 9.8 – the highest severity rating. 

Here’s what that means.

So, what happened? 

Two major vulnerabilities have been discovered in WP Travel Engine, and let us say, they are severe! They allow attackers to access the site without any authentication: no username, password, or internal access needed. These flaws can be exploited remotely and anonymously by almost anyone.

The first issue arises from the plugin’s inadequate validation of externally supplied data. This means a malicious actor can send a crafted request to force the site to execute actions typically restricted to administrators, such as modifying pages, changing settings, or uploading malicious files.

The second vulnerability is tied to the handling of AJAX requests, which are background operations that WordPress uses for forms and dynamic features. WP Travel Engine fails to properly verify user permissions for certain requests, enabling attackers to send commands that the system mistakenly processes as coming from an administrator.

When combined, these vulnerabilities allow for a complete bypass of WordPress’s built-in security mechanisms. A successful attack essentially grants administrative privileges, giving an attacker free rein to alter content, redirect visitors to malicious sites, inject malware, or use the compromised site as a launching pad for further attacks.

This isn’t an isolated incident. Similar issues have hit the travel industry before. For instance, in 2020, vulnerabilities in the MotoPress Hotel Booking plugin let attackers access guests’ personal data. Since most travel websites run on WordPress and heavily depend on third-party plugins, any security flaw in a widely used tool can spiral into a major problem.

Why it matters for travel businesses

The travel industry is especially vulnerable to cyber threats because its websites handle data with significant commercial value. Booking forms, tour inquiries, customer contact details, itineraries, and payment information all make these sites prime targets for attackers. Consequently, critical vulnerabilities in a plugin used by thousands of travel projects pose a heightened risk to affected businesses.

Another key issue is that many travel companies opt for WordPress due to its flexibility and low barrier to entry. Their websites are often managed by non-technical staff, like managers, marketers, or external contractors, who install plugins “as needed”, frequently overlooking regular updates or security audits.

Who is affected

Vulnerabilities in WP Travel Engine primarily impact travel website owners using the plugin to publish tours, itineraries, and manage booking or inquiry forms. According to Search Engine Journal, the plugin is installed on 20000+ websites worldwide, many belonging to small travel agencies that often lack a dedicated IT team. As a result, updates and technical maintenance can be pretty inconsistent.

Turnkey websites created by web studios or freelancers are also at risk. Clients usually rely on developers only during the initial project launch, while ongoing technical support tends to be limited or entirely absent. This means that any plugin may remain vulnerable for months or even years. Compromises on these sites can be particularly damaging, given the travel industry’s heavy reliance on online sales channels.

Another vulnerable group includes agencies and freelancers who use WP Travel Engine as a common component across multiple client projects. A single compromised plugin can threaten numerous websites simultaneously, creating a cascading effect. This not only increases the risk for website owners but also poses reputational challenges for developers.

Lastly, large tourism marketplaces using WordPress for their catalogs or information portals are not immune. Even with robust IT support, a single vulnerable component within a complex system can lead to serious incidents. 

Reddit users remained unamused, saying it’s nothing serious if you’ve already updated the plugin:

Immediate actions to take

  1. Update WP Travel Engine to the latest version

The latest update includes patches for both critical vulnerabilities.

  1. If updating is not possible, temporarily disable the plugin

This is a temporary workaround if the update causes conflicts with the theme, custom code, or server configuration.

  1. Check logs and recent site activity

Look for newly created users (especially administrators), changes to theme or plugin files, installation of unknown plugins, and any unusual or unexplained actions.

  1. Reset administrator passwords and update WordPress security keys

Change the administrator password and regenerate WP security keys such as AUTH_KEY, SECURE_AUTH_KEY, and others.

  1. Scan the site for malicious code

Use reputable security tools to check for file integrity issues, unauthorized changes, and the presence of malicious scripts.

  1. Activate a Web Application Firewall (WAF)

Enable either a hosting-level WAF or third-party solutions like Cloudflare or Sucuri to block exploit attempts at the request level.

  1. Ensure automatic backups are enabled

It’s advisable to maintain daily backups, keep multiple recent versions, and store backups off-site.

Long-term security recommendations

Long-term website security starts with consistent updates. WordPress itself, along with all themes and plugins, should be regularly updated, not just in response to critical vulnerabilities making headlines. Most breaches occur not due to sophisticated zero-day exploits, but because neglected outdated components leave openings for attackers.

Reduce the Number of Plugins

Minimizing the reliance on third-party modules can significantly lower the overall attack surface. This is crucial for travel websites, which often use numerous extensions for bookings, forms, catalogs, and integrations. Conduct a full audit of installed plugins to identify and remove outdated, unsupported, or rarely used components before they become security liabilities.

Implement File Integrity Monitoring

From an infrastructure standpoint, it’s essential to employ file integrity monitoring tools. These solutions track any changes to the site’s code and alert the owner to suspicious activity in real time. If an attacker tries to upload a malicious script or alter a theme file, the system will detect it, enabling prompt action before the situation escalates.

Automate Backups

Regular automated backups are critical. Ensure that backups are stored off-server and include several recent restore points. If a website is compromised, restoring from a clean backup is often the quickest and safest way to return to normal operations without spending hours detecting and removing malicious code.

Adopt Basic DevSecOps Practices

Travel companies and web studios should embrace basic DevSecOps practices, even in simplified forms. This includes performing security testing before releases, using staging environments to test plugin updates, and running compatibility checks before pushing changes live. These practices help prevent situations where updates are delayed due to fears of breaking the site.

Foster a Culture of Security

Finally, it’s vital to cultivate a culture of security within the team. Managers, content specialists, and marketers working with WordPress need to understand fundamental risks. Like, why outdated plugins pose dangers, the necessity of regular password changes, and the importance of not granting administrator rights indiscriminately.

The vulnerabilities found in WP Travel Engine show how weak the travel industry’s online systems can be. This situation highlights that cybersecurity isn’t something you do just once or only for developers to worry about. Website owners shouldn’t avoid updates because they fear short-term downtime.

In the long run, incidents like this can help the industry by raising awareness. They encourage companies to rethink their processes and motivate teams to adopt stronger and more reliable technology solutions.