Search criteria
2 vulnerabilities found for Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution by magepeopleteam
CVE-2024-0434 (GCVE-0-2024-0434)
Vulnerability from nvd – Published: 2024-05-29 03:30 – Updated: 2026-04-08 17:30
VLAI
Title
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly <= 1.7.1 - Missing Authorization via ttbm_new_place_save
Summary
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| magepeopleteam | Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution |
Affected:
0 , ≤ 1.7.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:25:50.451948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:25:56.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Travelly \u2013 Tour \u0026 Travel Booking Manager for WooCommerce | Tour \u0026 Hotel Booking Solution",
"vendor": "magepeopleteam",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ttbm_new_place_save\u0027 function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:33.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly \u003c= 1.7.1 - Missing Authorization via ttbm_new_place_save"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0434",
"datePublished": "2024-05-29T03:30:58.914Z",
"dateReserved": "2024-01-11T17:19:31.253Z",
"dateUpdated": "2026-04-08T17:30:33.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0434 (GCVE-0-2024-0434)
Vulnerability from cvelistv5 – Published: 2024-05-29 03:30 – Updated: 2026-04-08 17:30
VLAI
Title
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly <= 1.7.1 - Missing Authorization via ttbm_new_place_save
Summary
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| magepeopleteam | Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution |
Affected:
0 , ≤ 1.7.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:25:50.451948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:25:56.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Travelly \u2013 Tour \u0026 Travel Booking Manager for WooCommerce | Tour \u0026 Hotel Booking Solution",
"vendor": "magepeopleteam",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ttbm_new_place_save\u0027 function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:33.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3092969%40tour-booking-manager%2Ftrunk\u0026old=3091912%40tour-booking-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WordPress Tour \u0026 Travel Booking Plugin for WooCommerce \u2013 WpTravelly \u003c= 1.7.1 - Missing Authorization via ttbm_new_place_save"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0434",
"datePublished": "2024-05-29T03:30:58.914Z",
"dateReserved": "2024-01-11T17:19:31.253Z",
"dateUpdated": "2026-04-08T17:30:33.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}