Severity
High
Analysis Summary
CVE-2025-5282 CVSS:7.5
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
CVE-2025-49454 CVSS:8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt allows PHP Local File Inclusion.This issue affects TinySalt: from n/a before 3.10.0.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-5282
CVE-2025-4945
Affected Vendors
- WordPress
Affected Products
- Tour Booking Plugin – Tour Operator Software plugin
- TinySalt Theme - 3.10.0
Remediation
Update the WordPress plugin to the latest available version.