Vulnerabilities and security researches fortravelpayouts travelpayouts

Jun 06, 2024

CVE, Research URL: CVE-2024-0337
Home page URL: Security reports for Travelpayouts: All Travel Brands in One Place
Application: Travelpayouts: All Travel Brands in One Place
Date: Mar 20, 2024
Research Description: The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Affected versions: max 1.1.14.
Status: vulnerable

CVE, Research URL: e0a7d8897771e852dbfe2e2a566b536c7e908324
Home page URL: Security reports for Travelpayouts: All Travel Brands in One Place
Application: Travelpayouts: All Travel Brands in One Place
Date: Sep 13, 2021
Research Description: Travelpayouts: All Travel Brands in One Place [travelpayouts] < 1.0.17 Travelpayouts <= 1.0.16 - Cross-Site Request Forgery The Travelpayouts plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.16. This is due to missing or incorrect nonce validation in the outdated Redux Framework. This makes it possible for unauthenticated attackers to gain restricted access to administrative actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.0.17.
Status: vulnerable

Feb 28, 2026

CVE, Research URL: CVE-2025-68042
Home page URL: Security reports for Travelpayouts: All Travel Brands in One Place
Application: Travelpayouts: All Travel Brands in One Place
Date: Feb 20, 2026
Research Description: Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.1.
Affected versions: max 1.2.1.
Status: vulnerable