WordPress Travelfic Toolkit plugin up to version 1.3.3 contains a missing authorization flaw, allowing an attacker to bypass the plugin’s access control restrictions and perform privileged operations. The vulnerability stems from incorrectly configured security levels, effectively exposing sensitive administrative functions to unauthenticated or insufficiently privileged users. The weakness aligns with CWE‑862, which describes the lack of proper authorization checks.

The issue impacts the Themefic Travelfic Toolkit plugin for WordPress, affecting all installations using version 1.3.3 or older. Sites running the plugin without the latest security fixes are susceptible to exploitation. No specific operating system details are provided beyond the WordPress environment, so any system hosting WordPress with an affected plugin version is at risk.

The CVSS score is 4.3, indicating a moderate risk profile, while the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not currently listed in the CISA KEV catalog. Attackers are likely to exploit this flaw remotely via standard HTTP requests to privileged plugin endpoints that lack proper role checks. Because the flaw permits unauthorized access to protected functionalities, any attacker who can reach these endpoints could potentially modify or create content, change settings, or gain administrative leverage on the affected WordPress site. As the attack vector is inferred to be remote web‑based, security teams should monitor for suspicious activity and apply the recommended mitigations promptly.