WP Travel Engine is one of the most widely used tour booking plugins for WordPress, with over 20,000 active installations. It handles tour listings, itineraries, booking forms, pricing, customer data, and payment integration. For many small travel agencies, it’s the entire business backend. In March 2024, a critical SQL injection vulnerability came to light. It required no authentication to exploit.
CVE-2024-30502 WP Travel Engine: The Vulnerability
CVE-2024-30502 is an unauthenticated SQL injection in WP Travel Engine versions up to and including 5.7.9. Its CVSS score is 9.3 (Critical). Unauthenticated means no account is needed. No login, no credentials, no foothold. Anyone on the internet can send the exploit directly against the site’s database.
SQL injection at this severity level gives an attacker direct command over the database. They can read every record, modify any value, or delete any table. In a WP Travel Engine installation that affects every booking, every customer name and email address, every payment reference, and every operational record the business depends on. Version 5.8.0 contained the fix.
CVE-2024-30502 WP Travel Engine: How Exploitation Works in Practice
The attack is automated. Bots continuously scan WordPress sites for vulnerable plugin version strings. They fire the exploit the moment they find a match. The window between “site identified” and “database compromised” measures in seconds, not minutes. Attackers don’t need to know anything about your business, your traffic, or your content. They just need to know you’re running a vulnerable version.
For a travel agency, the database isn’t just operational data. It’s the client relationships that drive the business. Booking records, customer contact details, travel history, and notes from years of back-and-forth with returning clients. This data doesn’t exist anywhere else. A payment processor export gives you transaction IDs. It doesn’t give you the email address of a customer who traveled with you three times and referred their colleagues.
The Visibility Problem
A pending plugin update in the WordPress dashboard looks the same whether it patches a cosmetic issue or a critical database vulnerability. There’s no urgency signal, no visual distinction, and no indication that one of those queued notifications means the difference between your data remaining intact and someone running commands in your database at 2 AM.
Most compromises don’t happen because site owners are careless. They happen because the gap between “vulnerability disclosed” and “site updated” gets filled with ordinary life. Busy season, other priorities, a dashboard notification that looked the same as the fifteen before it.
CVE-2024-30502 had a CVE ID, a CVSS score of 9.3, a patched version, and months of public disclosure. The information needed to act on it was entirely available. What’s missing on most sites is something actively surfacing whether the installed version is affected. Not a mailing list, not manual patch notes. Just a scanner that checks your plugins against a live CVE database and flags what needs attention. Trusti Security’s vulnerability scanner does exactly that.
If you’re running WP Travel Engine, update to version 5.8.0 or later. The gap between disclosure and exploitation isn’t a knowledge problem. It’s a visibility problem.