{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24940", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:05.801Z", "datePublished": "2026-02-03T14:08:32.886Z", "dateUpdated": "2026-04-28T16:14:50.958Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "travelfic-toolkit", "product": "Travelfic Toolkit", "vendor": "Themefic", "versions": [{"changes": [{"at": "1.3.4", "status": "unaffected"}], "lessThanOrEqual": "1.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:52.314Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travelfic Toolkit: from n/a through <= 1.3.3.</p>"}], "value": "Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through <= 1.3.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.958Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T18:42:47.747869Z", "id": "CVE-2026-24940", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:45:34.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T18:42:47.747869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T18:42:11.526Z"}}], "cna": {"title": "WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themefic", "product": "Travelfic Toolkit", "versions": [{"status": "affected", "changes": [{"at": "1.3.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.3"}], "packageName": "travelfic-toolkit", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:28.822Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through <= 1.3.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travelfic Toolkit: from n/a through <= 1.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:46.667Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24940", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:45:34.218Z", "dateReserved": "2026-01-28T09:50:05.801Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:32.886Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through <= 1.3.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Themefic Travelfic Toolkit travelfic-toolkit permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Travelfic Toolkit: desde n/a hasta &lt;= 1.3.3."}], "id": "CVE-2026-24940", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:15.477", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:21:28.129526+00:00", "value": {"mitigation_remediation": ["Update the Travelfic Toolkit plugin to the latest available version (e.g., 1.3.4 or newer) or uninstall the plugin if it is unnecessary.", "Audit user roles and remove any unnecessary administrative privileges that might allow access to the plugin\u2019s protected sections.", "Restrict access to the plugin\u2019s administrative pages by applying role\u2011based access controls or a web\u2011firewall rule that blocks requests from non\u2011administrator users.", "Continuously monitor server logs for attempts to access privileged plugin endpoints and investigate any suspicious activity."], "summary": {"action": "Assess Impact", "impact": "Unauthorized access to privileged plugin resources"}, "threat_synthesis": {"affected_systems": "The issue impacts the Themefic Travelfic Toolkit plugin for WordPress, affecting all installations using version 1.3.3 or older. Sites running the plugin without the latest security fixes are susceptible to exploitation. No specific operating system details are provided beyond the WordPress environment, so any system hosting WordPress with an affected plugin version is at risk.", "description_and_impact": "WordPress Travelfic Toolkit plugin up to version 1.3.3 contains a missing authorization flaw, allowing an attacker to bypass the plugin\u2019s access control restrictions and perform privileged operations. The vulnerability stems from incorrectly configured security levels, effectively exposing sensitive administrative functions to unauthenticated or insufficiently privileged users. The weakness aligns with CWE\u2011862, which describes the lack of proper authorization checks.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate risk profile, while the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are likely to exploit this flaw remotely via standard HTTP requests to privileged plugin endpoints that lack proper role checks. Because the flaw permits unauthorized access to protected functionalities, any attacker who can reach these endpoints could potentially modify or create content, change settings, or gain administrative leverage on the affected WordPress site. As the attack vector is inferred to be remote web\u2011based, security teams should monitor for suspicious activity and apply the recommended mitigations promptly."}}}}, "created": "2026-02-04T12:14:12.176319+00:00", "updated": "2026-04-16T01:30:20.309024+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}