{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68042", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:07.754Z", "datePublished": "2026-02-20T15:46:36.826Z", "dateUpdated": "2026-04-28T19:56:30.949Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "travelpayouts", "product": "Travelpayouts", "vendor": "Travelpayouts", "versions": [{"lessThanOrEqual": "1.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:46.155Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travelpayouts: from n/a through <= 1.2.2.</p>"}], "value": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.560Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/travelpayouts/vulnerability/wordpress-travelpayouts-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Travelpayouts plugin <= 1.2.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T19:03:29.063892Z", "id": "CVE-2025-68042", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:56:30.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T19:03:29.063892Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T19:02:46.376Z"}}], "cna": {"title": "WordPress Travelpayouts plugin <= 1.2.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Travelpayouts", "product": "Travelpayouts", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.1"}], "packageName": "travelpayouts", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:43:58.108Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/travelpayouts/vulnerability/wordpress-travelpayouts-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travelpayouts: from n/a through <= 1.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:36.826Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68042", "state": "PUBLISHED", "dateUpdated": "2026-02-25T19:03:47.881Z", "dateReserved": "2025-12-15T10:01:07.754Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:36.826Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Travelpayouts Travelpayouts travelpayouts permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Travelpayouts: desde n/a hasta &lt;= 1.2.1."}], "id": "CVE-2025-68042", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:08.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/travelpayouts/vulnerability/wordpress-travelpayouts-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Travelpayouts", "source": "cna", "vendor": "Travelpayouts"}, "product": "travelpayouts", "vendor": "travelpayouts"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:43:36.907289+00:00", "value": {"mitigation_remediation": ["Upgrade the Travelpayouts plugin to the latest version (greater than 1.2.2) to apply the vendor\u2019s fix for the missing authorization flaw.", "Review and enforce proper role-based access controls within WordPress, ensuring that administrative capabilities exposed by the plugin are restricted to authorized users only.", "Perform a comprehensive audit of all user accounts and capabilities to detect any unintended privilege escalation that could have occurred due to the vulnerability."], "summary": {"action": "Patch", "impact": "Unauthorized access via missing authorization"}, "threat_synthesis": {"affected_systems": "The affected product is the Travelpayouts plugin for WordPress. All installations running version 1.2.2 or earlier are vulnerable, including any unreleased or unspecified builds that fall within the range n/a through <=1.2.2.", "description_and_impact": "Travelpayouts WordPress plugin contains a missing authorization flaw, allowing users to bypass intended access controls and interact with restricted plugin functions. The weakness is identified as CWE-862 (Missing Authorization). Depending on the plugin\u2019s configuration, an attacker could potentially read, modify, or delete data exposed by the plugin, thereby compromising the confidentiality and integrity of site content and potentially escalating privileges to higher levels within the WordPress environment.", "risk_and_exploitability": "The CVSS score of 6.5 classifies this issue as a medium severity vulnerability. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability has not been catalogued in CISA\u2019s KEV database. The attack vector is most likely via the web interface of the plugin, where user input is not properly verified against the user\u2019s role, enabling an unauthorized user to exploit administrative or management endpoints."}}}}, "created": "2026-02-23T14:45:39.983872+00:00", "updated": "2026-04-27T20:45:12.713032+00:00", "vendors": ["travelpayouts", "travelpayouts$PRODUCT$travelpayouts", "wordpress", "wordpress$PRODUCT$wordpress"]}