CVE-2025-68042 MEDIUM

CVE-2025-68042: WordPress Travelpayouts plugin <= 1.2.2 - Broken Access Control vulnerability

Vendor Travelpayouts
Product Travelpayouts
Weakness CWE-862 · Missing authorization
Published February 20, 2026
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.2.

Explanation of Vulnerability in Simple Terms

02Summary

Travelpayouts versions up to 1.2.2 lack proper authorization checks, allowing authenticated users with low privileges to perform actions they should not be able to access. The vulnerability requires user interaction and can affect confidentiality, integrity, and availability across the application scope. Site administrators should update to a version newer than 1.2.2.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions affecting data confidentiality, integrity, and availability within the application.

Potential impact on your site

04Site Impact

Authenticated users with low privileges can bypass access controls and modify or view data they should not access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account and trick a user into clicking a malicious link or visiting a crafted page.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated