Skip to main content

WpTravelly EUVDEUVD-2026-31961

| CVE-2026-27331 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-92p8-x3px-3vv6
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:29 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WpTravelly: from n/a through 2.1.5.

AnalysisAI

Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.

Technical ContextAI

WpTravelly is a WordPress travel booking management plugin developed by Magepeople Inc., identified via CPE cpe:2.3:a:magepeople_inc.:wptravelly:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the authenticated requesting user has the appropriate capability or role before executing privileged operations. In WordPress plugin architecture, this typically manifests as REST API endpoints, AJAX handlers, or admin-facing actions that omit capability checks (e.g., current_user_can() calls), allowing subscriber- or contributor-level accounts to invoke functionality intended for administrators. The tag 'Authentication Bypass' signals that the access control misconfiguration effectively permits users to act above their assigned privilege tier, consistent with OWASP Broken Access Control (A01:2021).

RemediationAI

The primary remediation is to update WpTravelly to a version beyond 2.1.5 once a patched release is published by Magepeople Inc. - no specific fixed version number is confirmed in the available data at time of analysis. Monitor the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-2-1-5-broken-access-control-vulnerability) for a patched release. As an immediate compensating control, disable user self-registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to prevent untrusted low-privilege accounts from existing, which eliminates the PR:L attack path entirely - note this may affect legitimate site functionality if public registration is required. Alternatively, restrict the plugin's sensitive endpoints using a Web Application Firewall rule targeting the affected plugin's AJAX or REST routes, though specific endpoint names are not confirmed from available data. Site administrators should also audit existing low-privilege user accounts for unauthorized activity.

Share

EUVD-2026-31961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy