CVE-2025-5282 Overview
CVE-2025-5282 is a missing authorization vulnerability in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. The flaw exists in the delete_package() function across all versions up to and including 6.5.1. The function lacks a capability check, allowing unauthenticated attackers to send crafted requests that delete arbitrary posts on affected sites. The vulnerability is classified under CWE-862: Missing Authorization and impacts site integrity by enabling destructive actions without authentication.
Critical Impact
Unauthenticated remote attackers can delete arbitrary WordPress posts, causing data loss and potential site disruption on installations running WP Travel Engine ≤ 6.5.1.
Affected Products
- WP Travel Engine plugin for WordPress, versions up to and including 6.5.1
- WordPress sites using the Tour Booking / Tour Operator Software plugin distributed by wptravelengine
- Fixed version: WP Travel Engine 6.5.2
Discovery Timeline
- 2025-06-13 - CVE-2025-5282 published to NVD
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2025-5282
Vulnerability Analysis
The vulnerability resides in the delete_package() function within the plugin's REST API V2 Trip controller, located at includes/classes/Core/Controllers/RestAPI/V2/Trip.php. The function processes deletion requests but does not validate whether the requesting user holds the capabilities required to delete posts. Because the REST endpoint accepts unauthenticated requests, any remote actor able to reach the WordPress site can trigger post deletion.
The issue maps to CWE-862 (Missing Authorization). Authorization checks such as current_user_can() or a permission_callback enforcing a privileged capability were absent from the route handler.
Root Cause
The root cause is the absence of a capability check on the REST route that invokes delete_package(). WordPress REST API routes require an explicit permission_callback to gate access. When this callback returns true unconditionally or is missing, the endpoint becomes publicly callable. In this case, the deletion handler executed wp_delete_post() style logic against post IDs supplied by the request without verifying caller privileges.
Attack Vector
An attacker sends an HTTP request to the plugin's REST endpoint specifying a target post ID. No authentication header, nonce, or session cookie is required. The server processes the deletion against the supplied identifier, removing the corresponding post from the database. Repeating the request with different IDs allows bulk destruction of content. EPSS data places exploitation probability at 0.382% (59.55 percentile) as of the most recent scoring.
The vulnerability mechanism is documented in the Wordfence Vulnerability Report and the upstream fix can be reviewed in the WordPress Plugin Changeset.
Detection Methods for CVE-2025-5282
Indicators of Compromise
- Unexpected HTTP requests to WP Travel Engine REST routes under /wp-json/ referencing trip or package deletion handlers from unauthenticated sources.
- WordPress posts (trip packages, pages, or other post types) missing without a corresponding administrator action in audit logs.
- Spikes in DELETE or POST requests to plugin endpoints originating from a single IP or distributed scanners.
Detection Strategies
- Review web server access logs for requests targeting the plugin's REST V2 Trip controller without authenticated session cookies or application passwords.
- Compare current post counts and IDs against recent backups to identify deletions that lack a matching admin action in the WordPress activity log.
- Deploy WordPress-specific WAF rules that flag REST API calls invoking deletion handlers from unauthenticated clients.
Monitoring Recommendations
- Enable a WordPress activity logging plugin to record wp_trash_post and wp_delete_post events with originating user and IP.
- Forward web server and WordPress audit logs to a SIEM and alert on high-volume post deletions or REST calls returning HTTP 200 against trip endpoints.
- Monitor plugin version inventory across managed sites to confirm rapid patch adoption.
How to Mitigate CVE-2025-5282
Immediate Actions Required
- Update the WP Travel Engine plugin to version 6.5.2 or later on every WordPress installation.
- Audit existing posts and restore any that were deleted without authorization from a clean backup.
- Restrict access to /wp-json/ REST endpoints at the WAF or reverse proxy where unauthenticated public access is not required.
Patch Information
The vendor addressed the issue in WP Travel Engine 6.5.2 by adding capability validation to the affected REST route. The fix is documented in the WordPress Plugin Changeset 3305447, which modifies Trip.php to enforce authorization before invoking delete_package().
Workarounds
- If patching is delayed, disable the WP Travel Engine plugin until the upgrade can be applied.
- Block external access to the plugin's REST routes at the web application firewall, allowing only authenticated administrative IPs.
- Apply least-privilege backup and recovery policies so destroyed content can be restored quickly.
# Example: block unauthenticated access to the vulnerable REST namespace via nginx
location ~* /wp-json/wp-travel-engine/ {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
