CVE-2026-39565 Overview
CVE-2026-39565 is a Missing Authorization vulnerability [CWE-862] in the magepeopleteam WpTravelly (tour-booking-manager) WordPress plugin. The flaw affects all versions up to and including 2.1.7. Incorrectly configured access control security levels allow authenticated users with low privileges to invoke functionality that should be restricted to higher-privileged roles. The vulnerability is exploitable remotely over the network without user interaction.
Critical Impact
Authenticated attackers with low-level WordPress accounts can bypass authorization checks in the WpTravelly plugin, leading to limited integrity impact on tour booking data and configuration.
Affected Products
- magepeopleteam WpTravelly (tour-booking-manager) WordPress plugin
- All versions from initial release through 2.1.7
- WordPress sites running vulnerable WpTravelly installations
Discovery Timeline
- 2026-04-08 - CVE-2026-39565 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-39565
Vulnerability Analysis
The vulnerability stems from missing authorization checks within the WpTravelly plugin's request handlers. The plugin exposes actions that perform privileged operations without verifying whether the calling user holds the required capability. Any authenticated user, including low-privileged roles such as subscribers, can invoke these actions.
Missing Authorization [CWE-862] occurs when software fails to perform an authorization check when an actor attempts to access a resource or perform an action. In the WpTravelly context, the plugin registers AJAX or admin-post endpoints without calling current_user_can() or equivalent capability checks before executing the action. Nonce verification alone, if present, does not enforce authorization because authenticated users can obtain valid nonces.
Root Cause
The root cause is incorrectly configured access control security levels in the plugin's action handlers. Developers registered endpoints expecting them to be limited to administrators but did not implement explicit capability checks. The endpoints rely on implicit assumptions rather than enforced policy, leaving them reachable by any authenticated session.
Attack Vector
An attacker first obtains a low-privileged WordPress account on the target site. The attacker then issues HTTP requests to the vulnerable plugin endpoints with parameters targeting protected functionality. Because the plugin does not validate the user's role or capability, the action executes successfully. The integrity impact is limited to the data and settings managed by the WpTravelly plugin.
No verified public exploitation code is available. Refer to the Patchstack advisory for CVE-2026-39565 for additional technical context.
Detection Methods for CVE-2026-39565
Indicators of Compromise
- Unexpected modifications to WpTravelly bookings, tours, or plugin settings made by non-administrator accounts
- WordPress audit log entries showing low-privileged users invoking plugin AJAX actions tied to tour-booking-manager
- HTTP POST requests to /wp-admin/admin-ajax.php referencing WpTravelly actions from sessions belonging to subscribers or customers
Detection Strategies
- Inspect web server access logs for repeated POST requests to admin-ajax.php or admin-post.php containing WpTravelly action parameters from non-admin user sessions
- Enable a WordPress activity logging plugin to record plugin configuration changes and correlate them with the acting user's role
- Compare current plugin version against the installed version on disk to confirm exposure to versions at or below 2.1.7
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized SIEM and alert on privileged plugin actions performed by non-administrator accounts
- Monitor new user registrations and privilege changes on public-facing WordPress sites running WpTravelly
- Establish a baseline of normal WpTravelly administrative activity and alert on deviations
How to Mitigate CVE-2026-39565
Immediate Actions Required
- Update the WpTravelly plugin to a version released after 2.1.7 that addresses the missing authorization issue
- Audit existing WordPress user accounts and remove or disable unused low-privileged accounts that could be abused
- Review WpTravelly bookings, tours, and configuration for unauthorized changes since the plugin was installed
Patch Information
The vendor advisory published through Patchstack identifies version 2.1.7 as the last vulnerable release. Site administrators must upgrade to a patched release of WpTravelly when available. Consult the Patchstack advisory for the fixed version reference.
Workarounds
- Disable and remove the WpTravelly plugin until a patched version can be deployed
- Restrict access to /wp-admin/admin-ajax.php from anonymous and low-privilege sessions using a web application firewall rule targeting WpTravelly action parameters
- Disable open WordPress user registration to limit the pool of authenticated attackers
# Example WordPress CLI commands to verify and disable the vulnerable plugin
wp plugin get tour-booking-manager --field=version
wp plugin deactivate tour-booking-manager
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
