CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘ttbm_new_place_save’ function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
[
{
"vendor": "magepeopleteam",
"product": "WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly",
"versions": [
{
"status": "affected",
"version": "*",
"versionType": "semver",
"lessThanOrEqual": "1.7.1"
}
],
"defaultStatus": "unaffected"
}
]
plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3092969%40tour-booking-manager%2Ftrunk&old=3091912%40tour-booking-manager%2Ftrunk&sfp_email=&sfph_mail=
www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial