CVE-2026-27089
Description
Unauthenticated bypass vulnerability in WordPress WpTravelly plugin <= 2.1.7 exploited in mass campaigns.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated bypass vulnerability in WordPress WpTravelly plugin <= 2.1.7 exploited in mass campaigns.
Vulnerability
The WpTravelly plugin for WordPress contains an unauthenticated bypass vulnerability in versions up to and including 2.1.7. The vulnerability allows an attacker to bypass certain restrictions without authentication, as reported in the Patchstack advisory [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to the vulnerable plugin. No prior authentication or user interaction is required, making it suitable for automated mass-exploitation [1].
Impact
Successful exploitation allows an attacker to bypass security restrictions, potentially leading to unauthorized access to sensitive information or administrative capabilities. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites [1].
Mitigation
The vulnerability has been fixed in version 2.1.8. Users are strongly advised to update immediately. If unable to update, consider disabling the plugin or seeking assistance from a hosting provider [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026