What happened (quick TL;DR)

On 4 April 2026 a stored Cross‑Site Scripting (XSS) vulnerability in WP Travel Engine (≤ 6.7.5) was disclosed (CVE‑2026‑2437). The issue is triggered through the plugin’s wte_trip_tax shortcode and can be exploited by an authenticated user with Contributor privileges. The vendor released version 6.7.6 to fix the issue.

Action: update WP Travel Engine to 6.7.6 or later immediately. If immediate update is not possible, follow the ordered mitigations below and deploy temporary virtual patches via your WAF or server configuration. Stored XSS persists in the database and continues to affect visitors until removed.

Why this matters: stored XSS impact and threat model

Stored XSS is one of the most dangerous client‑side vulnerabilities for content management systems because:

• Persistence: malicious payloads are stored on the server and executed in the browser of any visitor or admin who views the content.
• Wide reach: vulnerable shortcodes that render on public or admin pages can trigger the payload across many visits.
• Privilege escalation: even a low‑privilege injector (Contributor) can target higher‑privilege users who view the infected page, enabling session theft, CSRF‑style actions, or backdoor uploads.
• Reputation and supply‑chain risk: hidden redirects, spam, or malware affect SEO and user trust.

This vulnerability requires an authenticated Contributor to inject content and a privileged user or visitor to view it. In practice attackers combine small flaws and social engineering to amplify impact.

Vulnerability summary

• Software: WP Travel Engine (WordPress plugin)
• Affected versions: ≤ 6.7.5
• Patched version: 6.7.6
• CVE: CVE‑2026‑2437
• Vulnerability type: Stored Cross‑Site Scripting (XSS) via wte_trip_tax shortcode
• Required privilege: Contributor (authenticated)
• User interaction: Required (viewing the malicious content)
• CVSS (reported): 6.5
• Disclosure date: 4 Apr, 2026

Immediate steps every site owner must take (ordered)

1. Update the plugin now. Upgrade WP Travel Engine to version 6.7.6 or later. This is the primary fix.
2. If you cannot update immediately — apply temporary mitigations:
   • Disable or remove the vulnerable shortcode from runtime so stored payloads do not render.
   • Restrict Contributor capabilities temporarily to prevent content submissions that could exploit the issue.
   • Block or challenge requests that attempt to submit suspicious content (see WAF guidance below).
   • Scan and clean the database for injected scripts in taxonomy terms and any content rendered by the shortcode.
3. Rotate high‑privilege credentials and enable 2FA. Change admin and editor passwords and enforce two‑factor authentication for administrative accounts.
4. Put the site into maintenance mode if active exploitation is detected. Prevent both visitors and administrators from loading infected pages while you clean and patch.
5. Restore from a clean backup if infection is widespread. Use a backup taken before the suspected injection date, then update and patch before re‑publishing.
6. Notify hosting or site administrators. Hosting providers can assist with logs, backups, and network‑level mitigations typical in Hong Kong and regional environments.

How to safely disable the vulnerable shortcode now

If you cannot update immediately, disabling the shortcode prevents stored content from being interpreted by the vulnerable handler. Add a site‑specific plugin or an mu‑plugin (preferred) with the following code. Do not paste this into third‑party plugin files.

Notes:

• This is a temporary mitigation. Remove the override after updating the plugin.
• Returning an empty string prevents rendering stored HTML or scripts.

How to detect signs of exploitation

Look for these indicators of stored XSS injection:

• Unexpected
  Review My Order

  0

  Subtotal

  Taxes & shipping calculated at checkout

  Checkout