The Backpack Traveler theme contains an IDOR flaw that permits users to modify a controlled key value in HTTP requests. This flaw enables attackers to read or manipulate data belonging to other users or system resources, effectively bypassing intended access controls. The weakness is classified as CWE-639, indicating that user-supplied input influences authorization decisions. The impact is limited to the integrity and confidentiality of content managed by the theme and does not directly compromise the underlying WordPress core or database servers.

The affected product is the Mikado-Themes Backpack Traveler theme for WordPress, with all releases up to and including version 2.10.3 susceptible to the vulnerability. The theme is discovered on WordPress installations that have not been upgraded beyond this version. No other WordPress core or plugin versions are implicated by the current data.

The CVSS score of 5.4 represents moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation under current public threat intelligence, and the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote, with an authenticated or potentially unauthenticated user able to craft URLs containing permissible resource identifiers. Exploitation requires that the attacker has sufficient knowledge of the site’s internal resource identifiers and that the theme’s access controls are not otherwise overridden by site owners.