A critical Broken Access Control vulnerability has been identified in the WP Travel plugin. This vulnerability could allow an unprivileged user to execute certain higher-privileged actions on the website.
Mika discovered and reported this vulnerability.
This vulnerability is caused by a flaw in the way that the WP Travel plugin handles authorization and authentication checks. The vulnerability allows an attacker to exploit a flaw in the plugin’s code to execute certain higher-privileged actions on the affected website.
Critical (CVSS 3.1 score of 7.5)
All versions of the WP Travel plugin
If a malicious actor is able to exploit this vulnerability, they could:
- Execute certain higher-privileged actions on the website
- Install and execute malicious plugins or themes
- Steal data from websites, such as user information or passwords
Disable the WP Travel plugin immediately. There is no patched version available at this time.