This vulnerability is a missing authorization issue in the raratheme Travel Diaries WordPress theme. Due to incorrectly configured access control security levels, the theme fails to enforce proper checks for certain administrative actions. As a result, an attacker could potentially read or modify protected data and configuration settings that should be restricted, leading to unauthorized disclosure or alteration of site content and booking information. The weakness is identified as CWE‑862 (Broken Access Control).

Affected systems include the raratheme Travel Diaries WordPress theme version 1.2.4 and all earlier releases (versions up to 1.2.4). The vulnerability is present on all installations that have used any version from the beginning of the theme's release cycle through 1.2.4 inclusive.

Risk: The CVSS score is 5.3, indicating a medium severity level. The EPSS score is below 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog, implying it is not currently known to be actively exploited. Exploitation requires interaction with the WordPress site, likely through web requests to privileged administrative endpoints that lack proper authorization checks. The attack vector is inferred to be remote via the web, but the exact conditions are not detailed in the supplied description. Despite the low EPSS, organizations should treat this as a moderate risk due to the potential for unauthorized access to sensitive data.