CVE-2026-27331

Vulnerability

The WpTravelly plugin (tour-booking-manager) for WordPress contains a missing authorization vulnerability in versions from n/a through 2.1.5 [2]. This issue stems from incorrectly configured access control security levels, allowing functions that require higher privileges to be executed without proper capability or nonce checks [2].

Exploitation

An attacker needs no authentication or special network position, as the vulnerable endpoints are accessible to any visitor. The attacker can send crafted HTTP requests to the affected plugin's endpoints, triggering actions intended only for authenticated administrators without having valid credentials or nonce tokens [2].

Impact

Successful exploitation allows an unauthenticated attacker to execute higher-privileged actions within the plugin, such as modifying booking data, altering configuration, or accessing sensitive information. This leads to a compromise of the plugin's access control, potentially affecting availability and integrity of the travel booking system [2].

Mitigation

Fixed in version 2.1.6, released on 2026-05-22 according to the plugin repository [1]. Users are advised to update to version 2.1.6 or later immediately [2]. Patchstack users can enable auto-update for vulnerable plugins. No workarounds are provided; if unable to update immediately, disabling the plugin until the patch can be applied is recommended [2].