CVE-2021-4389
ENISA EUVD: EUVD-2021-34216 ↗
✓ Confirmed 0-Day
Triaged: March 20, 2026
1 article
Published: 2023-07-01
EPSS Score
Source: FIRST.org · 2026-05-23
0.14%
probability
This CVE has a 0.14% probability
of being exploited in the next 30 days.
0%
Top 33.3th percentile of all CVEs
100%
CVSS v3.1
Source: VulnerabilityLookup (CIRCL)4.3
MEDIUM
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Description
VulnerabilityLookup (CNA)The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected Products
wptravel
WP Travel – Ultimate Travel Booking System, Tour Management Engine
0
Attack Intelligence
Signal Intelligence
Confidence
75%
EPSS
0.14%
CVSS v3.1
4.3
Mentions
1
Last Seen
Dec 14, 2021
CNA Information
CNA Assigner
Wordfence
CNA Title
WP Travel <= 4.4.6 - Cross-Site Request Forgery Bypass
Analyst Note
Article explicitly identifies CVE-2021-4389 as a 'zero-day used by Emotet' in the title, with Microsoft patching it. The 2021 CVE year and active Emotet exploitation in the wild strongly support zero-day classification, though the truncated excerpt limits full timeline verification of patch-vs-exploitation timing.
Triage Info
Decided atMar 20, 2026
Published DateJul 01, 2023