Skip to main content

WpTravelly EUVDEUVD-2026-36914

| CVE-2026-27089 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-15 Patchstack GHSA-g5vh-j4v8-x58p
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint with no auth or interaction (AV:N/AC:L/PR:N/UI:N); auth bypass enables integrity tampering only (I:H), no disclosure or DoS (C:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:40 vuln.today

DescriptionCVE.org

Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.

AnalysisAI

Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.

Technical ContextAI

WpTravelly is a tour booking manager plugin published by MagePeople Inc. for WordPress, identified by CPE cpe:2.3:a:magepeople_inc.:wptravelly. The underlying weakness is CWE-290 (Authentication Bypass by Spoofing), a class of flaw in which an attacker forges or replays identifying information so the application accepts requests as if they came from a trusted principal. In WordPress plugin ecosystems, this typically arises from missing or improperly implemented capability checks, nonce verification, or trust placed in client-controlled values such as user IDs in POST parameters or cookies. Because WpTravelly handles booking and tour management actions, bypassing authentication exposes administrative or user-context functions to unauthenticated callers.

RemediationAI

Upgrade the WpTravelly plugin to a version newer than 2.1.7 as published by MagePeople Inc.; no vendor-released patched version is independently confirmed in the supplied data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-2-1-7-bypass-vulnerability-vulnerability for the fixed release identifier before applying. Until a confirmed fixed version is installed, compensating controls include deactivating the WpTravelly plugin entirely (trade-off: tour booking functionality goes offline), restricting access to wp-admin/admin-ajax.php and the plugin's REST routes via a WAF or .htaccess rules scoped to authenticated sessions or known IPs (trade-off: may break legitimate AJAX-driven bookings for end users), and enabling Patchstack or equivalent virtual patching for this specific CVE if available. Monitor WordPress audit logs for unexpected booking or user-data modifications as a detective control.

Share

EUVD-2026-36914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy