WordPress Plugin Vulnerabilities

WP Travel < 9.7.0 - Missing Authorization

Description

The WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 9.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wp-travel
Fixed in 9.7.0

References

CVE
CVE-2024-53813
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/599da697-6b24-47b0-aa12-8a8397213316

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
286b21d1-6c75-47e1-8627-5e970a2c706f

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-11 (about 1 year ago)
Last Updated
2024-12-11 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
WP Meetup <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-04-02
Title
Shopify to WooCommerce Migration <= 1.3.0 - Missing Authorization to Unauthenticated Settings Update
Published
2024-04-25
Title
WooCommerce Amazon Affiliates < 14.1.0 - Missing Authorization
Published
2026-02-09
Title
Atarim < 4.2.2 - Missing Authorization
Published
2025-10-09
Title
Smash Balloon Social Post Feed < 4.3.3 - Missing Authorization