A missing authorization flaw exists in the WP Travel WordPress plugin, allowing attackers to abuse incorrectly configured access control levels. The vulnerability can lead to unauthorized execution of privileged functions within the plugin. The weakness corresponds to CWE-862, which highlights unauthorized access due to trust boundary violations. Based on the description, the likely attack vector involves sending requests to the plugin’s administrative endpoints as an authenticated user, exploiting the lack of proper role checks.

Affected users are those running the WP Travel plugin version 11.1.0 or earlier. The plugin vendor ‘WP Travel’ is listed as the CNA, and the problem spans all releases from the earliest available version through 11.1.0. Exact patch versions are not enumerated in the data, but any install of the plugin older than 11.1.1 is unprotected.

The CVSS score of 5.3 denotes moderate severity, and the EPSS score indicating an exploitation probability of less than 1% suggests that this flaw is not widely used in the wild yet. The issue is not present in the CISA KEV catalog, further implying low current exploitation risk. The attack likely requires the attacker to access the WordPress site and interact with the plugin’s protected functions, inferred as needing an authenticated session to exploit the missing authorization checks.