🔐 CVE Alert

CVE-2024-0434

MEDIUM 5.3

WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly <= 1.7.1 - Missing Authorization via ttbm_new_place_save

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.

CWE CWE-284
Vendor magepeopleteam
Product travelly – tour & travel booking manager for woocommerce | tour & hotel booking solution
Published May 29, 2024
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for magepeopleteam travelly – tour & travel booking manager for woocommerce | tour & hotel booking solution

Be the first to know when new medium vulnerabilities affecting magepeopleteam travelly – tour & travel booking manager for woocommerce | tour & hotel booking solution are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

magepeopleteam / Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution
0 ≤ 1.7.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3092969%40tour-booking-manager%2Ftrunk&old=3091912%40tour-booking-manager%2Ftrunk&sfp_email=&sfph_mail=

Credits

Francesco Carlucci