Vulnerability Description
The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_item', '_st_partner_approve_booking', 'save_order_item', and '__userDenyEachInfo' functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://travelerwp.com/traveler-changelog/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d21c7537-8437-43aa-ab5
FAQ
What is CVE-2024-11926?
CVE-2024-11926 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_i...
How severe is CVE-2024-11926?
CVE-2024-11926 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-11926?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.