Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable WordPress plugin endpoint with no auth or interaction (AV:N/AC:L/PR:N/UI:N); auth bypass enables integrity tampering only (I:H), no disclosure or DoS (C:N/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
AnalysisAI
Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.
Technical ContextAI
WpTravelly is a tour booking manager plugin published by MagePeople Inc. for WordPress, identified by CPE cpe:2.3:a:magepeople_inc.:wptravelly. The underlying weakness is CWE-290 (Authentication Bypass by Spoofing), a class of flaw in which an attacker forges or replays identifying information so the application accepts requests as if they came from a trusted principal. In WordPress plugin ecosystems, this typically arises from missing or improperly implemented capability checks, nonce verification, or trust placed in client-controlled values such as user IDs in POST parameters or cookies. Because WpTravelly handles booking and tour management actions, bypassing authentication exposes administrative or user-context functions to unauthenticated callers.
RemediationAI
Upgrade the WpTravelly plugin to a version newer than 2.1.7 as published by MagePeople Inc.; no vendor-released patched version is independently confirmed in the supplied data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-2-1-7-bypass-vulnerability-vulnerability for the fixed release identifier before applying. Until a confirmed fixed version is installed, compensating controls include deactivating the WpTravelly plugin entirely (trade-off: tour booking functionality goes offline), restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via a WAF or .htaccess rules scoped to authenticated sessions or known IPs (trade-off: may break legitimate AJAX-driven bookings for end users), and enabling Patchstack or equivalent virtual patching for this specific CVE if available. Monitor WordPress audit logs for unexpected booking or user-data modifications as a detective control.
More in Wptravelly
View allMissing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-p
WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36914
GHSA-g5vh-j4v8-x58p