Description
Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3.
Published: 2026-01-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Protected Resources
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows users to exploit incorrectly configured access control settings. An attacker can gain unauthorized access to resources or functionalities that should be restricted, potentially exposing sensitive data or enabling further compromise. This broken access control directly impacts confidentiality and integrity, as privileged actions can be performed without proper verification.

Affected Systems

The affected item is the WordPress Travel Monster theme from the vendor wptravelengine, with versions ranging from any earlier version up to version 1.3.3 inclusive. All installations running those versions are susceptible, regardless of the surrounding WordPress environment.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, and the current EPSS score is under 1% indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalogue. The attack vector is inferred to be web‑based, leveraging incorrectly configured security roles; an attacker who can access the site with a user account but lacking the required capabilities could potentially exploit the flaw. Until a patched version is applied, the risk remains until the theme is updated or access controls are manually tightened.

Generated by OpenCVE AI on April 16, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Travel Monster theme to any version newer than 1.3.3 that includes the fix for the access control flaw.
  • Review and restrict WordPress user roles so that only administrators possess capabilities to manage theme options or sensitive settings.
  • If an update is not immediately available, deactivate the theme or enforce strict role‑based access restrictions through a dedicated ACL plugin until the issue is resolved.

Generated by OpenCVE AI on April 16, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3.
Title WordPress Travel Monster theme <= 1.3.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.304Z

Reserved: 2026-01-23T12:32:17.047Z

Link: CVE-2026-24607

cve-icon Vulnrichment

Updated: 2026-01-23T17:09:48.042Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:19.567

Modified: 2026-04-28T15:16:19.080

Link: CVE-2026-24607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:45:20Z

Weaknesses