{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24607", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:17.047Z", "datePublished": "2026-01-23T14:29:04.281Z", "dateUpdated": "2026-04-28T16:14:50.304Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "travel-monster", "product": "Travel Monster", "vendor": "wptravelengine", "versions": [{"changes": [{"at": "1.3.4", "status": "unaffected"}], "lessThanOrEqual": "1.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:50.642Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travel Monster: from n/a through <= 1.3.3.</p>"}], "value": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.304Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Travel Monster theme <= 1.3.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:12:48.073414Z", "id": "CVE-2026-24607", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:37:20.172Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:12:48.073414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:09:48.042Z"}}], "cna": {"title": "WordPress Travel Monster theme <= 1.3.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "John P | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wptravelengine", "product": "Travel Monster", "versions": [{"status": "affected", "changes": [{"at": "1.3.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.3"}], "packageName": "travel-monster", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:50.642Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travel Monster: from n/a through <= 1.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.975Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24607", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:37:20.172Z", "dateReserved": "2026-01-23T12:32:17.047Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:04.281Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en wptravelengine Travel Monster travel-monster permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Travel Monster: desde n/a hasta &lt;= 1.3.3."}], "id": "CVE-2026-24607", "lastModified": "2026-04-28T15:16:19.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:19.567", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:32:41.299188+00:00", "value": {"mitigation_remediation": ["Update the Travel Monster theme to any version newer than 1.3.3 that includes the fix for the access control flaw.", "Review and restrict WordPress user roles so that only administrators possess capabilities to manage theme options or sensitive settings.", "If an update is not immediately available, deactivate the theme or enforce strict role\u2011based access restrictions through a dedicated ACL plugin until the issue is resolved."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access to Protected Resources"}, "threat_synthesis": {"affected_systems": "The affected item is the WordPress Travel Monster theme from the vendor wptravelengine, with versions ranging from any earlier version up to version 1.3.3 inclusive. All installations running those versions are susceptible, regardless of the surrounding WordPress environment.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows users to exploit incorrectly configured access control settings. An attacker can gain unauthorized access to resources or functionalities that should be restricted, potentially exposing sensitive data or enabling further compromise. This broken access control directly impacts confidentiality and integrity, as privileged actions can be performed without proper verification.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the issue as medium severity, and the current EPSS score is under 1% indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalogue. The attack vector is inferred to be web\u2011based, leveraging incorrectly configured security roles; an attacker who can access the site with a user account but lacking the required capabilities could potentially exploit the flaw. Until a patched version is applied, the risk remains until the theme is updated or access controls are manually tightened."}}}}, "created": "2026-01-26T11:53:08.860423+00:00", "updated": "2026-04-16T01:45:20.647972+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}