WordPress Plugin Vulnerabilities

WP Travel < 7.8.1 - Unauthenticated AJAX Calls

Description

The plugin does not have authorisation checks in various AJAX actions, allowing unauthenticated users to call them and update the plugin settings for example.

Affects Plugins

Plugin icon
wp-travel
Fixed in 7.8.1

References

CVE
CVE-2023-47224
URL
https://patchstack.com/database/vulnerability/wp-travel/wordpress-wp-travel-plugin-7-5-0-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
Yes
WPVDB ID
7ebaee47-72c0-43e9-92e5-145ad40ece97

Timeline

Publicly Published
2023-11-03 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-22 (about 2 years ago)

Other

Published
Title
Published
2026-01-29
Title
Nelio Popups < 1.3.6 - Missing Authorization
Published
2025-05-08
Title
Website Builder by SeedProd < 6.18.16 - Subscriber+ Sensitive Information Exposure
Published
2026-04-16
Title
HAPPY – Helpdesk Support Ticket System < 1.0.11 - Missing Authorization
Published
2023-12-07
Title
Square Thumbnails < 1.1.2 - Missing Authorization
Published
2025-10-15
Title
Cost Calculator Builder < 3.5.33 - Missing Authorization