Description
Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability is a broken access control flaw in the WordPress Travel Booking theme where authorization checks are missing or incorrectly configured. As a result, an attacker can perform actions that should be restricted by the theme’s security levels, potentially accessing or modifying content, booking details, or administrative functions that are intended to be protected. The weakness is classified as CWE-862 (Missing Authorization).

Affected Systems

Affected systems are WordPress sites that use the wptravelengine Travel Booking theme version 1.3.9 or earlier. The vulnerability applies to all releases from the initial release of the theme through 1.3.9 inclusive.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through web traffic to the theme’s endpoints, where a malicious user could craft requests to bypass intended access restrictions. The impact could be data exposure, unauthorized booking actions, or other administrative misuse.

Generated by OpenCVE AI on March 19, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Travel Booking theme to a version newer than 1.3.9 to eliminate the missing authorization checks.
  • If an update is not immediately available, review and harden the theme’s access control settings, ensuring that all restricted pages and functions require proper authentication.
  • Monitor web logs for unusual access patterns to the theme’s managed endpoints and enforce network-level restrictions if necessary.

Generated by OpenCVE AI on March 19, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine travel Booking
Vendors & Products Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine travel Booking

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.
Title WordPress Travel Booking theme <= 1.3.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wptravelengine Travel Booking
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:22.945Z

Reserved: 2026-03-12T11:11:55.348Z

Link: CVE-2026-32486

cve-icon Vulnrichment

Updated: 2026-03-13T18:46:59.698Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:08.917

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:03Z

Weaknesses