CVE-2026-49770

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 6.7.13

Description An unauthenticated PHP Object Injection exists in the software. PHP Object Injection occurs when user-supplied input is passed to the PHP unserialize() function without proper validation, potentially allowing an attacker to manipulate object properties or execute arbitrary code.

Recommendations Update to a version newer than 6.7.12.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2026-49770

Affected Products

Wp Travel Engine

CVE-2026-49770

Weakness Enumeration

Related Identifiers

Affected Products

References · 3