Skip to main content

Travel Agency EUVDEUVD-2026-11831

| CVE-2026-32346 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11831
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:41 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through <= 1.5.5.

AnalysisAI

Improper access control in raratheme Travel Agency versions up to 1.5.5 permits unauthenticated attackers to modify data through misconfigured authorization checks. This vulnerability allows unauthorized changes to travel agency information without requiring authentication or user interaction, potentially compromising business operations and data integrity.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to enforce proper privilege levels or role-based access controls before allowing sensitive operations. In this case, the raratheme Travel Agency plugin (a WordPress or similar content management system extension) does not validate user permissions before processing data modification requests, likely in REST API endpoints or form handlers. The affected versions through 1.5.5 lack proper capability checks (or equivalent authorization middleware) that should restrict administrative or data-modifying operations to authenticated and authorized users. The CPE identifier would typically be structured as cpe:2.3:a:raratheme:travel-agency, though the specific CPE string requires vendor confirmation. This is a common misconfiguration in plugin development where developers expose functionality without wrapping it in authorization checks.

RemediationAI

Upgrade raratheme Travel Agency to the latest patched version (1.5.6 or later, pending vendor confirmation) immediately upon release. Until a patch is available, implement compensating controls by restricting access to the Travel Agency plugin endpoints at the Web server level (via nginx/Apache configuration or WAF rules) to authenticated users only, disabling or deactivating the plugin if not actively in use, and auditing all recent data modifications for unauthorized changes. Review and enforce proper user role and capability checks across all Travel Agency plugin endpoints using WordPress capability checks (e.g., current_user_can()) or equivalent authorization middleware. Monitor the official raratheme or WordPress plugin security advisories for patch release notifications.

Share

EUVD-2026-11831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy