cleantalk
Vulnerabilities and Security Researches

WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine, CVE-2021-4389

CVE, Research URL

CVE-2021-4389

Home page URL

Security reports for WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine

Application

WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine

Published on
Jul 01, 2023
Research Description
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 4.2.0.
Status
vulnerable
Previous vulnerability researches
WP Travel Gutenberg Blocks (CVE-2025-62063) , Nov 11, 2025
WP Travel Gutenberg Blocks (CVE-2025-53207) , Jul 05, 2025
WP Travel Gutenberg Blocks (CVE-2024-43284) , Aug 20, 2024
WP Travel Gutenberg Blocks (CVE-2024-47627) , Oct 03, 2024
WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine (CVE-2024-44039) , Sep 28, 2024
New vulnerability
OceanWP (CVE-2025-8944) , May 14, 2026
130+ Widgets | Best Addons For Elementor – FREE (CVE-2026-45214) , May 14, 2026
Court Reservation – Manage Your Court Bookings Online (CVE-2026-1250) , May 14, 2026
Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend (CVE-2026-42741) , May 14, 2026
WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine (CVE-2026-45218) , May 14, 2026