CVE-2026-24940

Missing

Authorization in Travelfic Toolkit The Travelfic Toolkit plugin for WordPress versions up to and including 1.3.3 suffers from a missing authorization vulnerability. The root cause is that the plugin fails to properly verify access control security levels, allowing unprivileged users to execute actions intended for higher-privileged roles [1]. This type of vulnerability falls under the category of broken access control, where inadequate authentication or nonce token checks exist in certain plugin functions [1].

Exploitation and

Attack Surface The attack surface is accessible to any unauthenticated or low-privilege user who can interact with the vulnerable plugin functions. No special network position is required; an attacker can exploit this remotely via HTTP requests [1]. The vulnerability is considered easy to exploit and has been observed in mass-exploit campaigns targeting thousands of WordPress websites simultaneously, regardless of site size or popularity [1].

Impact

Successful exploitation allows an attacker to bypass intended access controls, potentially gaining unauthorized access to administrative functions or sensitive data [1]. The CVSS score of 4.3 (Medium) indicates limited impact on confidentiality, integrity, or availability, but the low attack complexity and no authentication requirements increase the risk in mass-attack scenarios [1].

Mitigation

The vendor Themefic has patched this vulnerability in version 1.3.4 of the Travelfic Toolkit plugin. Users are strongly advised to update immediately to the latest version available [1]. For those unable to update, consulting a hosting provider or web developer is recommended, and Patchstack users can enable auto-updates for vulnerable plugins [1].