Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through <= 2.1.7.
AnalysisAI
WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information via broken access control, enabling privilege escalation within WordPress sites. The vulnerability requires user authentication and network access but does not permit modification or denial of service, affecting all WpTravelly installations up to the specified version. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified.
Technical ContextAI
WpTravelly is a WordPress plugin for tour and booking management distributed by magepeopleteam. The vulnerability stems from CWE-862 (Missing Authorization), a common web application flaw where access control checks are either absent or improperly configured. Authenticated users can bypass authorization controls intended to restrict access to specific functionality or data, allowing them to view information outside their intended permission scope. This is distinct from authentication bypass (CWE-287) because the attacker must possess valid credentials; the issue is in authorization logic after successful authentication. The plugin architecture allows users with basic roles (e.g., subscriber, contributor) to interact with tour booking data and administrative functions that should be restricted to higher-privilege accounts (administrators, tour operators).
RemediationAI
Update WpTravelly to a version later than 2.1.7 when released by magepeopleteam; exact patched version is not specified in available advisory data. Administrators should check the WordPress plugin dashboard or the Patchstack database for patch availability and release notes. Until a patch is confirmed, implement application-level mitigations: restrict user registration (disable public signup if not business-critical), audit which user roles can access tour booking functionality through WordPress capability filters, and limit high-privilege plugin features to administrator-only users via role-based access control. Monitor access logs for unusual data access patterns by low-privilege accounts. Refer to https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/ for current patch status and security recommendations from the vendor.
More in Wptravelly
View allAuthentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated
Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-p
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20211