Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through <= 1.5.5.
AnalysisAI
Improper access control in raratheme Travel Agency versions up to 1.5.5 permits unauthenticated attackers to modify data through misconfigured authorization checks. This vulnerability allows unauthorized changes to travel agency information without requiring authentication or user interaction, potentially compromising business operations and data integrity.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to enforce proper privilege levels or role-based access controls before allowing sensitive operations. In this case, the raratheme Travel Agency plugin (a WordPress or similar content management system extension) does not validate user permissions before processing data modification requests, likely in REST API endpoints or form handlers. The affected versions through 1.5.5 lack proper capability checks (or equivalent authorization middleware) that should restrict administrative or data-modifying operations to authenticated and authorized users. The CPE identifier would typically be structured as cpe:2.3:a:raratheme:travel-agency, though the specific CPE string requires vendor confirmation. This is a common misconfiguration in plugin development where developers expose functionality without wrapping it in authorization checks.
RemediationAI
Upgrade raratheme Travel Agency to the latest patched version (1.5.6 or later, pending vendor confirmation) immediately upon release. Until a patch is available, implement compensating controls by restricting access to the Travel Agency plugin endpoints at the Web server level (via nginx/Apache configuration or WAF rules) to authenticated users only, disabling or deactivating the plugin if not actively in use, and auditing all recent data modifications for unauthorized changes. Review and enforce proper user role and capability checks across all Travel Agency plugin endpoints using WordPress capability checks (e.g., current_user_can()) or equivalent authorization middleware. Monitor the official raratheme or WordPress plugin security advisories for patch release notifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11831