Wptravelly
Monthly
Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.
Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.
WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information via broken access control, enabling privilege escalation within WordPress sites. The vulnerability requires user authentication and network access but does not permit modification or denial of service, affecting all WpTravelly installations up to the specified version. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified.
Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.
Missing authorization controls in the WpTravelly WordPress plugin (versions through 2.1.5) allow any authenticated low-privileged user to exploit incorrectly configured access control security levels, gaining unauthorized access to functionality or data beyond their intended permissions. The flaw is network-accessible, requires no user interaction, and carries a balanced Low-CIA-triad impact per CVSS. No public exploit has been identified at time of analysis, and the EPSS score (0.03%, 10th percentile) suggests very low real-world exploitation probability despite the network-exposed attack surface.
WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information via broken access control, enabling privilege escalation within WordPress sites. The vulnerability requires user authentication and network access but does not permit modification or denial of service, affecting all WpTravelly installations up to the specified version. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified.