The vulnerability is a missing authorization flaw that allows an attacker to gain unauthorized access to protected parts of the WpTravelly plugin. The defect permits abuse of incorrectly configured access control levels, which could give attackers visibility or modification rights that should be protected. Because the weakness is a classic broken access control (CWE‑862), the attacker may exploit it to read sensitive booking data, change settings, or otherwise alter the application’s state, potentially impacting data confidentiality and integrity. No direct denial of service or remote code execution is described, but the compromise of the plugin’s data could have business impact.

This flaw affects the Magepeople inc. WpTravelly WordPress plugin for all versions from the initial release up to and including 2.1.5. It does not apply to 2.1.6 or newer releases that include the fix.

The CVSS score of 6.3 indicates a medium severity vulnerability. The EPSS score is not available, so the current exploitation probability is unknown. Because the flaw is not listed in CISA KEV, no known public exploits have been reported. The likely attack vector is a web-based request from an authenticated or unauthenticated attacker who can interact with the plugin’s pages. Exploitation would require the attacker to discover that the plugin allows access to restricted resources and then submit the appropriate request. As the issue is a broken access control, the potential incident could lead to unauthorized data exposure and data tampering. The overall risk therefore hinges on the attacker’s ability to interact with the affected site and the sensitivity of the data stored by the plugin.