{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39565", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:19.049Z", "dateUpdated": "2026-04-08T08:30:19.049Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "tour-booking-manager", "product": "WpTravelly", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "2.1.8", "status": "unaffected"}], "lessThanOrEqual": "2.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u0410\u043b\u0435\u043a\u0441\u0430\u043d\u0434\u0440 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.406Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WpTravelly: from n/a through <= 2.1.7.</p>"}], "value": "Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through <= 2.1.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:19.049Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-2-1-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WpTravelly plugin <= 2.1.7 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through <= 2.1.7."}], "id": "CVE-2026-39565", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:27.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-2-1-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1.7]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "WpTravelly", "source": "cna", "vendor": "magepeopleteam"}, "product": "wptravelly", "vendor": "magepeople"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:49:58.466260+00:00", "value": {"mitigation_remediation": ["Upgrade the WpTravelly plugin to the latest version (greater than 2.1.7).", "Verify that user roles and capabilities for the plugin are correctly configured."], "summary": {"action": "Immediate Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "All installations of the WpTravelly plugin from its earliest release through version 2.1.7 are affected. Users running any of these versions are at risk until they upgrade beyond 2.1.7.", "description_and_impact": "The vulnerability stems from missing authorization checks in the WordPress WpTravelly tour\u2011booking\u2011manager plugin, as indicated by the CWE\u2011862 label. This flaw permits attackers to invoke functions or views that should be restricted, potentially allowing unauthorized users to access booking data or perform privileged operations. The impact is therefore a loss of confidentiality, integrity, and potential elevation of privileges for malicious actors.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS value is missing, but the flaw is categorized as a known exploited vulnerability catalog entry is not listed. The most likely attack vector is entering or manipulating requests to the plugin\u2019s endpoints via the web interface, bypassing required permission checks. Given the plugin\u2019s widespread use, the conditions for exploitation are minimal, making this a high\u2011risk issue for sites that have not yet updated."}}}}, "created": "2026-04-08T19:42:29.873865+00:00", "updated": "2026-04-09T08:22:10.854091+00:00", "vendors": ["magepeople", "magepeople$PRODUCT$wptravelly", "wordpress", "wordpress$PRODUCT$wordpress"]}