Severe WordPress Plugin Flaws Put 20,000+ Travel Websites at Risk

A major security alert has been issued for WP Travel Engine, a widely used WordPress plugin that powers more than 20,000 travel and tour booking websites. Two newly discovered critical vulnerabilities—each rated a 9.8 on the Common Vulnerability Scoring System (CVSS)—could allow unauthenticated attackers to take full control of affected sites.

What’s at Stake

WP Travel Engine is a popular tool for travel agencies and tour operators, helping them manage itineraries, packages, and online bookings directly from their WordPress dashboards. However, its convenience has now become a liability. The two flaws—Improper Path Restriction (Path Traversal) and Local File Inclusion (LFI)—both give attackers dangerous levels of access to core website files.

In simple terms, the first issue allows hackers to rename or delete key files on the server, such as wp-config.php, effectively crippling the site’s configuration and potentially leading to remote code execution. The second flaw, caused by a poorly secured parameter, enables attackers to execute arbitrary PHP code, opening the door to data theft, defacement, or even complete takeover of the server.

Both vulnerabilities can be exploited without logging in, meaning even anonymous attackers can compromise websites instantly.

Why This Matters for the Travel Industry

The timing is especially concerning. The travel sector relies heavily on online bookings and reputation, and many small- to medium-sized tour operators depend on WordPress for affordability and flexibility. A single compromised site could expose customer data, disrupt reservations, or damage consumer trust—potentially during peak travel seasons.

These vulnerabilities highlight an ongoing issue in the WordPress ecosystem: plugin dependency and uneven security practices. While WordPress itself is relatively secure, its vast plugin library often becomes the weak link.

Bold Outlook’s Take

This incident is a reminder that open ecosystems—while empowering—require constant vigilance. Website owners, especially those in data-sensitive industries like travel, must treat plugin updates as critical infrastructure maintenance, not optional tasks. Routine audits, backups, and web application firewalls (WAFs) are essential defenses that too many small businesses overlook.

Moreover, this case underscores the need for stronger plugin vetting and transparency from developers. With travel data, personal identification, and payment information at stake, security should not be an afterthought.

What Site Owners Should Do

All users of WP Travel Engine must update immediately to the latest version (6.6.8 or higher). Both vulnerabilities affect all earlier versions, and because they’re exploitable without authentication, leaving the plugin outdated is an open invitation to attackers.

To stay protected:

• Update WP Travel Engine immediately.
• Check for unusual file changes in your WordPress installation.
• Harden file permissions and disable PHP execution in upload directories.
• Regularly back up your site and test your restoration process.

In an increasingly digital travel economy, security lapses don’t just cost data—they can cost trust, bookings, and reputation.