Skip to main content

Wptravelly EUVDEUVD-2026-20211

| CVE-2026-39565 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20211
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through <= 2.1.7.

AnalysisAI

WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information via broken access control, enabling privilege escalation within WordPress sites. The vulnerability requires user authentication and network access but does not permit modification or denial of service, affecting all WpTravelly installations up to the specified version. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified.

Technical ContextAI

WpTravelly is a WordPress plugin for tour and booking management distributed by magepeopleteam. The vulnerability stems from CWE-862 (Missing Authorization), a common web application flaw where access control checks are either absent or improperly configured. Authenticated users can bypass authorization controls intended to restrict access to specific functionality or data, allowing them to view information outside their intended permission scope. This is distinct from authentication bypass (CWE-287) because the attacker must possess valid credentials; the issue is in authorization logic after successful authentication. The plugin architecture allows users with basic roles (e.g., subscriber, contributor) to interact with tour booking data and administrative functions that should be restricted to higher-privilege accounts (administrators, tour operators).

RemediationAI

Update WpTravelly to a version later than 2.1.7 when released by magepeopleteam; exact patched version is not specified in available advisory data. Administrators should check the WordPress plugin dashboard or the Patchstack database for patch availability and release notes. Until a patch is confirmed, implement application-level mitigations: restrict user registration (disable public signup if not business-critical), audit which user roles can access tour booking functionality through WordPress capability filters, and limit high-privilege plugin features to administrator-only users via role-based access control. Monitor access logs for unusual data access patterns by low-privilege accounts. Refer to https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/ for current patch status and security recommendations from the vendor.

Share

EUVD-2026-20211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy