Search criteria
2 vulnerabilities found for WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly by magepeopleteam
CVE-2024-0434 (GCVE-0-2024-0434)
Vulnerability from cvelistv5 – Published: 2024-05-29 03:30 – Updated: 2024-08-01 18:04
VLAI?
Title
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly <= 1.7.1 - Missing Authorization via ttbm_new_place_save
Summary
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| magepeopleteam | WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly |
Affected:
* , ≤ 1.7.1
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:25:50.451948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:25:56.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly",
"vendor": "magepeopleteam",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ttbm_new_place_save\u0027 function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T03:30:58.914Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-28T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly \u003c= 1.7.1 - Missing Authorization via ttbm_new_place_save"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0434",
"datePublished": "2024-05-29T03:30:58.914Z",
"dateReserved": "2024-01-11T17:19:31.253Z",
"dateUpdated": "2024-08-01T18:04:49.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0434 (GCVE-0-2024-0434)
Vulnerability from nvd – Published: 2024-05-29 03:30 – Updated: 2024-08-01 18:04
VLAI?
Title
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly <= 1.7.1 - Missing Authorization via ttbm_new_place_save
Summary
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| magepeopleteam | WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly |
Affected:
* , ≤ 1.7.1
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:25:50.451948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:25:56.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly",
"vendor": "magepeopleteam",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ttbm_new_place_save\u0027 function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T03:30:58.914Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-28T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly \u003c= 1.7.1 - Missing Authorization via ttbm_new_place_save"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0434",
"datePublished": "2024-05-29T03:30:58.914Z",
"dateReserved": "2024-01-11T17:19:31.253Z",
"dateUpdated": "2024-08-01T18:04:49.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}