Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.
AnalysisAI
Improper access control in wptravelengine Travel Booking versions up to 1.3.9 permits unauthenticated attackers to modify data through incorrectly configured authorization checks. An attacker can exploit this vulnerability to tamper with travel booking information without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a common authorization flaw where the application fails to verify that a user is authorized to perform specific operations. In the context of wptravelengine Travel Booking, this manifests as incorrectly configured access control security levels that do not properly validate user permissions before allowing sensitive actions. The affected product is identified as wptravelengine Travel Booking (CPE identifier would be cpe:2.3:a:wptravelengine:travel-booking). The root cause involves missing or insufficient authorization checks in API endpoints or admin functions, allowing attackers to bypass role-based access controls and execute actions reserved for authenticated administrators or specific user roles. This is particularly problematic in WordPress plugin ecosystems where access control misconfiguration can expose booking data, financial information, and system administrative capabilities.
RemediationAI
The primary remediation is to upgrade wptravelengine Travel Booking to a version later than 1.3.9 immediately upon availability of the patched release. Users should monitor the official wptravelengine website and the WordPress.org plugin repository for the security update announcement and apply it without delay. As an interim measure pending patch availability, implement network-level access controls restricting administrative endpoints to trusted IP ranges, disable public access to the Travel Booking admin API endpoints via Web Application Firewall (WAF) rules, and review access logs for suspicious authorization bypass attempts. Additionally, consider implementing WordPress security hardening measures such as disabling direct admin access from untrusted networks and enforcing strong authentication via two-factor authentication plugins on administrator accounts with booking management capabilities.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12025