CVE-2025-68042

Overview

CVE-2025-68042 describes a [missing authorization] vulnerability in the Travelpayouts WordPress plugin up to version 1.2.2. The core issue is that the plugin fails to properly verify access control permissions, allowing incorrectly configured security levels to be exploited [1]. This is classified as a broken access control problem.

Exploitation

Attackers can leverage this flaw by sending crafted requests that bypass intended privilege checks. While exploitation requires a privileged user to perform an action — such as clicking a malicious link, visiting a specially crafted page, or submitting a form — the attacker does not need to be authenticated with high-level privileges themselves [1]. The attack is performed over the network and does not require user interaction beyond the targeted privileged user's action.

Impact

Successful exploitation enables an attacker with a low-privileged role (or even unauthenticated, if the access control is completely absent) to execute higher-privileged actions within the WordPress installation. This could lead to unauthorized data modification, capability escalation, or further compromise of the site [1].

Mitigation

The vendor has not yet released an official patch as of the publication date. However, Patchstack has provided a temporary mitigation rule to block attacks until an official update is available and can be safely applied [1]. Users are strongly advised to update the plugin immediately once a patched version is released, or to contact their hosting provider for assistance if they cannot update themselves [1].