{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24568", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:58.117Z", "datePublished": "2026-01-23T14:28:56.433Z", "dateUpdated": "2026-04-28T16:14:49.315Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-travel", "product": "WP Travel", "vendor": "WP Travel", "versions": [{"changes": [{"at": "11.1.1", "status": "unaffected"}], "lessThanOrEqual": "11.1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:55.415Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Travel: from n/a through <= 11.1.0.</p>"}], "value": "Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 11.1.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.315Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Travel plugin <= 11.1.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:44:04.329823Z", "id": "CVE-2026-24568", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:27:11.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24568", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:44:04.329823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:43:59.541Z"}}], "cna": {"title": "WordPress WP Travel plugin <= 11.1.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Travel", "product": "WP Travel", "versions": [{"status": "affected", "changes": [{"at": "11.1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "11.1.0"}], "packageName": "wp-travel", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:55.415Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 11.1.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Travel: from n/a through <= 11.1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24568", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:27:11.741Z", "dateReserved": "2026-01-23T12:31:58.117Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:56.433Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 11.1.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WP Travel WP Travel wp-travel permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Travel: desde n/a hasta &lt;= 11.0.0."}], "id": "CVE-2026-24568", "lastModified": "2026-04-28T15:16:15.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:14.570", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:28:31.040432+00:00", "value": {"mitigation_remediation": ["Upgrade WP Travel to the latest available version (currently beyond 11.1.0).", "Limit administrative roles by ensuring only trusted users have access to WP Travel\u2019s privileged pages.", "Enable two\u2011factor authentication for WordPress admin accounts to reduce the risk of credential compromise."], "summary": {"action": "Apply Update", "impact": "Unauthorized Access (Missing Authorization)"}, "threat_synthesis": {"affected_systems": "Affected users are those running the WP Travel plugin version 11.1.0 or earlier. The plugin vendor \u2018WP Travel\u2019 is listed as the CNA, and the problem spans all releases from the earliest available version through 11.1.0. Exact patch versions are not enumerated in the data, but any install of the plugin older than 11.1.1 is unprotected.", "description_and_impact": "A missing authorization flaw exists in the WP Travel WordPress plugin, allowing attackers to abuse incorrectly configured access control levels. The vulnerability can lead to unauthorized execution of privileged functions within the plugin. The weakness corresponds to CWE-862, which highlights unauthorized access due to trust boundary violations. Based on the description, the likely attack vector involves sending requests to the plugin\u2019s administrative endpoints as an authenticated user, exploiting the lack of proper role checks.", "risk_and_exploitability": "The CVSS score of 5.3 denotes moderate severity, and the EPSS score indicating an exploitation probability of less than 1% suggests that this flaw is not widely used in the wild yet. The issue is not present in the CISA KEV catalog, further implying low current exploitation risk. The attack likely requires the attacker to access the WordPress site and interact with the plugin\u2019s protected functions, inferred as needing an authenticated session to exploit the missing authorization checks."}}}}, "created": "2026-01-26T11:53:08.115848+00:00", "updated": "2026-04-16T07:30:28.608965+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wptravelengine", "wptravelengine$PRODUCT$wp_travel_engine"]}