CVE-2021-24680

Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 5.3.1

Description The issue allows users with a role as low as editor to perform Stored Cross-Site Scripting attacks due to the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages not being escaped, even when the unfiltered html capability is disallowed.

Recommendations For versions prior to 5.3.1, update to version 5.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability of editors to modify the Description field in the affected pages until a patch is applied.