CVE-2025-67917
Description
Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Traveler theme for WordPress (≤3.2.6) has a missing authorization vulnerability allowing unauthenticated privilege escalation.
The Traveler theme for WordPress, versions 3.2.6 and earlier, contains a missing authorization vulnerability. This broken access control issue stems from the theme's failure to properly verify user permissions or nonce tokens in certain functions, allowing unauthenticated users to perform actions intended for higher-privileged roles [1].
Exploitation requires no authentication and can be carried out remotely. Attackers can leverage this flaw to execute privileged operations without proper authorization, making it suitable for mass exploitation campaigns targeting thousands of WordPress sites regardless of their size [1].
Successful exploitation could allow an attacker to gain unauthorized access to administrative functions, potentially leading to full site compromise. The vulnerability is rated with a CVSS v3 score of 6.5 (Medium) and is considered moderately dangerous, with active exploitation expected [1].
The vendor has released version 3.2.7 to address the vulnerability. Users are strongly advised to update immediately. For those unable to update, applying a mitigation rule from security plugins like Patchstack can block attacks until the patch is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.