CVE-2026-27331 Overview
CVE-2026-27331 is a Missing Authorization vulnerability [CWE-862] in the Magepeople WpTravelly plugin for WordPress. The flaw stems from incorrectly configured access control security levels, allowing authenticated users with low privileges to perform actions that should be restricted. The vulnerability affects WpTravelly versions up to and including 2.1.5. An attacker exploiting this issue can compromise confidentiality, integrity, and availability to a limited degree over the network.
Critical Impact
Authenticated attackers with low privileges can bypass access control checks in WpTravelly to access or modify resources outside their authorization scope.
Affected Products
- Magepeople WpTravelly plugin for WordPress
- All versions from n/a through 2.1.5
- WordPress sites running the Tour Booking Manager plugin
Discovery Timeline
- 2026-05-26 - CVE CVE-2026-27331 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-27331
Vulnerability Analysis
The WpTravelly plugin fails to enforce proper authorization checks on certain plugin endpoints or actions. The flaw is categorized as Broken Access Control under CWE-862: Missing Authorization. Exploitation requires an authenticated session, but only low-level privileges are needed, meaning subscriber-level accounts or higher may suffice. The attack vector is network-based and requires no user interaction.
The EPSS score sits at 0.034% with a percentile of 10.413, indicating low predicted exploitation activity at this time. However, plugins with broken access control flaws are commonly targeted in opportunistic WordPress campaigns once proof-of-concept details circulate.
Root Cause
The root cause is the absence or improper implementation of capability and nonce checks on plugin functions handling tour booking management. WordPress plugins must validate the requesting user's capability via current_user_can() and verify request authenticity using check_admin_referer() or wp_verify_nonce(). WpTravelly through version 2.1.5 does not consistently apply these checks, exposing protected functionality to unauthorized callers.
Attack Vector
An authenticated attacker sends crafted HTTP requests to vulnerable WpTravelly AJAX or admin-post endpoints. Because authorization is not properly verified server-side, the plugin executes the requested action with the privileges intended for higher-tier roles. This can lead to unauthorized data reads, modification of booking records, or configuration changes within the plugin's scope. See the Patchstack Vulnerability Report for advisory details.
No public proof-of-concept code has been released. The vulnerability mechanism follows the standard pattern of missing capability checks on plugin handlers. Refer to the vendor advisory for technical specifics.
Detection Methods for CVE-2026-27331
Indicators of Compromise
- Unexpected HTTP POST requests from low-privilege authenticated sessions to WpTravelly endpoints under /wp-admin/admin-ajax.php or /wp-admin/admin-post.php
- Modifications to tour, booking, or plugin configuration records that do not correlate with administrator activity
- New or altered booking entries created by users whose roles should not permit such actions
Detection Strategies
- Review WordPress audit logs for plugin actions performed by subscriber, customer, or contributor roles
- Inspect web server access logs for repeated requests to WpTravelly action handlers with non-administrator session cookies
- Correlate authenticated request patterns against expected role-based access maps for the plugin
Monitoring Recommendations
- Enable verbose logging on the WordPress site using an activity-monitoring plugin to track privileged plugin operations
- Alert on HTTP 200 responses to WpTravelly endpoints originating from low-privilege user sessions
- Monitor database changes to WpTravelly tables for writes occurring outside administrator workflows
How to Mitigate CVE-2026-27331
Immediate Actions Required
- Identify all WordPress installations running the Magepeople WpTravelly plugin and confirm installed version
- Upgrade WpTravelly to a release later than 2.1.5 once the vendor publishes a fix
- Audit user accounts and revoke unnecessary low-privilege accounts that could be leveraged for exploitation
- Review recent booking and plugin configuration changes for unauthorized modifications
Patch Information
A fixed version beyond WpTravelly 2.1.5 should be applied as soon as it is released by Magepeople. Consult the Patchstack Vulnerability Report for the latest patch status and the vendor's plugin page on the WordPress repository.
Workarounds
- Restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php WpTravelly actions via a Web Application Firewall (WAF) rule until a patch is applied
- Temporarily deactivate the WpTravelly plugin on sites where tour booking functionality is non-critical
- Enforce least-privilege role assignments and disable open user registration to limit the pool of attackers with authenticated access
# Configuration example: WordPress role audit via WP-CLI
wp user list --role=subscriber --fields=ID,user_login,user_registered
wp plugin get tour-booking-manager --field=version
wp plugin update tour-booking-manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
