CVE-2026-27331 Magepeople inc. CVE debrief

Who should care

WordPress site administrators using the WpTravelly tour booking plugin; security teams managing WordPress estates; developers maintaining custom integrations with WpTravelly

Technical summary

The WpTravelly plugin for WordPress fails to properly enforce authorization checks on certain functionality, allowing authenticated users with low privileges to access or modify resources beyond their intended permissions. The vulnerability affects all versions up to and including 2.1.5. Attack vector is network-based with low attack complexity, requiring low-privileged user authentication but no user interaction. Impact is rated as low for confidentiality, integrity, and availability.

Defensive priority

medium

Recommended defensive actions

• Review WordPress installations for WpTravelly plugin versions 2.1.5 or earlier and prioritize updates if available from the vendor
• Monitor the Patchstack advisory and vendor channels for security patch release
• Apply principle of least privilege to WordPress user accounts pending patch availability
• Consider Web Application Firewall (WAF) rules to restrict unauthorized access to plugin administrative functions if patching is delayed

Evidence notes

Vulnerability identified via Patchstack and submitted to NVD with CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. NVD status is 'Deferred' as of disclosure date. Vendor attribution to Magepeople inc. derived from reference domain analysis with low confidence; vendor name marked for review.

Official resources