VulnTitan VulnTitan Security command center
Theme Vulnerability Hub
Theme 24 known issues Latest disclosed Mar 17, 2026

Travel Booking WordPress Theme Vulnerabilities

Review known vulnerability records for the WordPress theme Travel Booking WordPress Theme (`traveler`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25449, CVE-2026-24367 and CVE-2025-67917, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
24
High or Critical
10
Patch Coverage
100%
Last Updated
Mar 27, 2026
Priority CVE Quick Links

Fast paths into Travel Booking WordPress Theme CVE reports

Start with the highest-signal CVE records for this WordPress theme before scanning the full vulnerability feed.

Indexed CVEs
19
CVE-2025-26873 Critical 3.2.1
CVE-2025-26873 Travel Booking WordPress Theme Vulnerability

Traveler < 3.2.1 - Unauthenticated PHP Object Injection

CVE-2025-1771 Critical 3.1.9
CVE-2025-1771 Travel Booking WordPress Theme Local File Inclusion

Traveler <= 3.1.8 - Unauthenticated Local File Inclusion via hotel_alone_load_more_post

CVE-2024-12811 High 3.2.0
CVE-2024-12811 Travel Booking WordPress Theme Local File Inclusion

Traveler <= 3.1.9 - Authenticated (Contributor+) Local File Inclusion via Shortcode

CVE-2026-25449 High 3.2.8.1
CVE-2026-25449 Travel Booking WordPress Theme Vulnerability

Travel Booking WordPress Theme < 3.2.8.1 - Unauthenticated PHP Object Injection

CVE-2025-64373 High 3.2.6
CVE-2025-64373 Travel Booking WordPress Theme Local File Inclusion

Traveler < 3.2.6 - Unauthenticated Local File Inclusion

CVE-2025-52714 High 3.2.2
CVE-2025-52714 Travel Booking WordPress Theme SQL Injection

Traveler < 3.2.2 - Unauthenticated SQL Injection

CVE-2025-26898 High 3.2.1
CVE-2025-26898 Travel Booking WordPress Theme SQL Injection

Traveler <= 3.2.0 - Unauthenticated SQL Injection

CVE-2024-11912 High 3.1.7
CVE-2024-11912 Travel Booking WordPress Theme SQL Injection

Traveler <= 3.1.6 - Unauthenticated SQL Injection via order_id

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Travel Booking WordPress Theme so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
24 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
3 critical and 7 high severity findings.
Recent CVEs
CVE-2026-25449, CVE-2026-24367 and CVE-2025-67917
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Travel Booking WordPress Theme

Sorted by latest disclosure date so newly published issues surface first.

Theme High Patched: Yes CVE-2026-25449
CVE-2026-25449: Travel Booking WordPress Theme < 3.2.8.1 - Unauthenticated PHP Object Injection

The Travel Booking WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in versions up to 3.2.8.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnera...

Published
Mar 17, 2026
Patched Release
3.2.8.1
Affected Versions
Versions before 3.2.8.1
Next Step
Update to 3.2.8.1 or newer if supported.
Open CVE-2026-25449 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2026-24367
CVE-2026-24367: Traveler < 3.2.8 - Authenticated (Contributor+) SQL Injection

The Traveler theme for WordPress is vulnerable to SQL Injection in versions up to 3.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-l...

Published
Jan 22, 2026
Patched Release
3.2.8
Affected Versions
Versions before 3.2.8
Next Step
Update to 3.2.8 or newer if supported.
Open CVE-2026-24367 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-67917
CVE-2025-67917: Traveler <= 3.2.6 - Missing Authorization

The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Jan 05, 2026
Patched Release
3.2.7
Affected Versions
Versions up to 3.2.6
Next Step
Update to 3.2.7 or newer if supported.
Open CVE-2025-67917 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-64372
CVE-2025-64372: Traveler < 3.2.6 - Reflected Cross-Site Scripting

The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they...

Published
Nov 07, 2025
Patched Release
3.2.6
Affected Versions
Versions before 3.2.6
Next Step
Update to 3.2.6 or newer if supported.
Open CVE-2025-64372 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-64371
CVE-2025-64371: Traveler < 3.2.6 - Authenticated (Subscriber+) SQL Injection

The Traveler theme for WordPress is vulnerable to SQL Injection in versions up to 3.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-le...

Published
Nov 07, 2025
Patched Release
3.2.6
Affected Versions
Versions before 3.2.6
Next Step
Update to 3.2.6 or newer if supported.
Open CVE-2025-64371 Report Open CVE Reference
Theme Medium Patched: No CVE-2025-63028
CVE-2025-63028: Traveler <= 3.2.6 - Missing Authorization

The Traveler theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Nov 07, 2025
Patched Release
Not published
Affected Versions
Versions up to 3.2.6
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-63028 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-64373
CVE-2025-64373: Traveler < 3.2.6 - Unauthenticated Local File Inclusion

The Traveler theme for WordPress is vulnerable to Local File Inclusion in versions up to 3.2.6. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to by...

Published
Nov 06, 2025
Patched Release
3.2.6
Affected Versions
Versions before 3.2.6
Next Step
Update to 3.2.6 or newer if supported.
Open CVE-2025-64373 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-59012
CVE-2025-59012: Travel Booking WordPress Theme < 3.2.3 - Reflected Cross-Site Scripting

The Travel Booking WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to 3.2.3 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Published
Sep 06, 2025
Patched Release
3.2.3
Affected Versions
Versions before 3.2.3
Next Step
Update to 3.2.3 or newer if supported.
Open CVE-2025-59012 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-59011
CVE-2025-59011: Travel Booking WordPress Theme < 3.2.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion

The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 3.2.3 (exclusive). This makes it possible for unauthenticated attackers to delete arbitrary content.

Published
Sep 06, 2025
Patched Release
3.2.3
Affected Versions
Versions before 3.2.3
Next Step
Update to 3.2.3 or newer if supported.
Open CVE-2025-59011 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-52714
CVE-2025-52714: Traveler < 3.2.2 - Unauthenticated SQL Injection

The Traveler theme for WordPress is vulnerable to SQL Injection in versions up to 3.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additio...

Published
Jul 10, 2025
Patched Release
3.2.2
Affected Versions
Versions before 3.2.2
Next Step
Update to 3.2.2 or newer if supported.
Open CVE-2025-52714 Report Open CVE Reference
Theme Critical Patched: Yes CVE-2025-26873
CVE-2025-26873: Traveler < 3.2.1 - Unauthenticated PHP Object Injection

The Traveler theme for WordPress is vulnerable to PHP Object Injection in versions up to 3.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP c...

Published
Mar 27, 2025
Patched Release
3.2.1
Affected Versions
Versions before 3.2.1
Next Step
Update to 3.2.1 or newer if supported.
Open CVE-2025-26873 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-26898
CVE-2025-26898: Traveler <= 3.2.0 - Unauthenticated SQL Injection

The Traveler theme for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers t...

Published
Mar 27, 2025
Patched Release
3.2.1
Affected Versions
Versions up to 3.2.0
Next Step
Update to 3.2.1 or newer if supported.
Open CVE-2025-26898 Report Open CVE Reference