WordPress WpTravelly plugin <= 1.7.7 - Broken Access Control vulnerability
CVE-2024-43212

7.5HIGH

Key Information:

Vendor: WordPress
Status: WPtravelly
Vendor: CVE Published:; 1 November 2024

Summary

A vulnerability has been identified in the WpTravelly plugin developed by MagePeople, leading to improper access control due to missing authorization checks. This issue allows users to exploit functionality that should have been constrained by Access Control Lists (ACLs), potentially compromising sensitive operations within the plugin. The vulnerability affects all versions of WpTravelly prior to and including 1.7.7, necessitating urgent attention from site administrators to ensure appropriate security measures are enforced.

Affected Version(s)

WpTravelly <= 1.7.7

References

https://patchstack.com/database/vulnerability/tour-bookin...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Aug 9, 2024

Credit

Majed Refaea (Patchstack Alliance)