{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32346", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:35.809Z", "datePublished": "2026-03-13T11:41:58.085Z", "dateUpdated": "2026-04-29T09:51:57.729Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "travel-agency", "product": "Travel Agency", "vendor": "raratheme", "versions": [{"changes": [{"at": "1.5.6", "status": "unaffected"}], "lessThanOrEqual": "1.5.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:38.945Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travel Agency: from n/a through <= 1.5.5.</p>"}], "value": "Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through <= 1.5.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.729Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/travel-agency/vulnerability/wordpress-travel-agency-theme-1-5-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Travel Agency theme <= 1.5.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:44:43.830640Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:53:30.647Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:44:43.830640Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:44:44.503Z"}}], "cna": {"title": "WordPress Travel Agency theme <= 1.5.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "raratheme", "product": "Travel Agency", "versions": [{"status": "affected", "changes": [{"at": "1.5.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.5"}], "packageName": "travel-agency", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:38.945Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/travel-agency/vulnerability/wordpress-travel-agency-theme-1-5-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through <= 1.5.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Travel Agency: from n/a through <= 1.5.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.729Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32346", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.729Z", "dateReserved": "2026-03-12T11:10:35.809Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:41:58.085Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through <= 1.5.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en raratheme Travel Agency travel-agency permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Travel Agency: desde n/a hasta &lt;= 1.5.5."}], "id": "CVE-2026-32346", "lastModified": "2026-04-29T10:16:59.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:46.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/travel-agency/vulnerability/wordpress-travel-agency-theme-1-5-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.5]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.5.6"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Travel Agency", "source": "cna", "vendor": "raratheme"}, "product": "travel_agency", "vendor": "rarathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:50:45.158799+00:00", "value": {"mitigation_remediation": ["Update the Travel Agency theme to the latest available version (for example 1.5.6 or newer if released).", "Verify that role\u2011based access control settings in your WordPress installation are correctly configured to prevent unauthorized access."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "This issue affects installations of the Travel Agency theme from raratheme for WordPress with versions from n/a through 1.5.5 inclusive. Any WordPress site that is running version 1.5.5 or earlier is potentially vulnerable.", "description_and_impact": "The vulnerability is a Missing Authorization flaw in the raratheme Travel Agency WordPress theme which allows exploitation of incorrectly configured access control security levels. This flaw permits unauthorized access to functionality or data that should be restricted. The weakness is classified as CWE-862.", "risk_and_exploitability": "With a CVSS score of 5.3 the vulnerability is of moderate severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation in the near term. The attack vector is inferred to be web\u2011based, whereby an attacker can interact with the WordPress site and send crafted requests to areas that are not properly protected due to incorrect access control configuration. No specific exploitation prerequisites are disclosed in the available information."}}}}, "created": "2026-03-16T09:34:59.841157+00:00", "updated": "2026-03-23T09:59:09.711269+00:00", "vendors": ["rarathemes", "rarathemes$PRODUCT$travel_agency", "wordpress", "wordpress$PRODUCT$wordpress"]}