CVE-2025-5282: 
WordPress vulnerability analysis and mitigation

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress contains a vulnerability (CVE-2025-5282) discovered and disclosed on June 12, 2025. The vulnerability affects all versions up to and including 6.5.1, stemming from a missing capability check in the delete_package() function (NVD, Wiz).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. It is categorized as CWE-862 (Missing Authorization), indicating a fundamental authorization control issue in the plugin's implementation. The security flaw specifically relates to the delete_package() function lacking proper capability checks (Wordfence, NVD).

The vulnerability allows unauthenticated attackers to delete arbitrary posts within the WordPress installation. This unauthorized access to delete functionality could lead to significant data loss and potential disruption of the website's content management system (Wiz, NVD).

A fix has been implemented in version 6.5.2 of the WP Travel Engine plugin, which includes proper authorization checks for the delete_package() function. The update adds a delete_package_permissions_check method that verifies user capabilities before allowing post deletion (WordPress Plugin).