CVE-2026-24568

Vulnerability

Overview CVE-2026-24568 is a missing authorization vulnerability in the WP Travel plugin for WordPress, affecting versions up to and including 11.1.0. The plugin fails to properly enforce access control checks, allowing attackers to exploit incorrectly configured security levels [1]. This type of flaw is categorized as a broken access control issue, where functions lack necessary authorization, nonce tokens, or authentication checks are absent or insufficient [1].

Exploitation

Conditions An attacker can exploit this vulnerability without requiring authentication, as the missing authorization check allows unprivileged users to execute actions that should be restricted to higher-privileged roles [1]. The attack surface is broad because the plugin is widely used, and the vulnerability is often targeted in mass-exploit campaigns against thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation could enable an attacker to perform unauthorized operations within the context of the WP Travel plugin, potentially leading to data exposure, privilege escalation, or other malicious activities depending on the specific missing check [1]. The CVSS v3 base score of 5.3 (Medium) reflects the potential for significant impact despite the relatively low complexity of the attack [1].

Mitigation

The vulnerability has been addressed in WP Travel version 11.1.1. Users are strongly advised to update immediately. If updating is not possible, consulting a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].