CVE-2024-0434

The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
Configurations

No configuration.

History

08 Apr 2026, 19:19

Type Values Removed Values Added
CWE CWE-284

21 Nov 2024, 08:46

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225 - () https://plugins.trac.wordpress.org/browser/tour-booking-manager/trunk/admin/settings/tour/TTBM_Settings_place_you_see.php#L225 -
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3092969%40tour-booking-manager%2Ftrunk&old=3091912%40tour-booking-manager%2Ftrunk&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3092969%40tour-booking-manager%2Ftrunk&old=3091912%40tour-booking-manager%2Ftrunk&sfp_email=&sfph_mail= -
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/e84d3e22-8568-4bdb-be9b-ffe78c69ec24?source=cve -

29 May 2024, 13:02

Type Values Removed Values Added
Summary
  • (es) El complemento The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función 'ttbm_new_place_save' en todas las versiones hasta la 1.7.1 incluida. Esto hace posible que atacantes no autenticados creen y publiquen nuevas publicaciones en lugares. Esta función también es vulnerable a CSRF.

29 May 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-29 04:15

Updated : 2026-06-17 06:53


NVD link : CVE-2024-0434

Mitre link : CVE-2024-0434

CVE.ORG link : CVE-2024-0434


JSON object : View

Products Affected

No product.

CWE
CWE-284

Improper Access Control