What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.
Explanation of Vulnerability in Simple Terms
02Summary
Backpack Traveler through version 2.10.3 contains a vulnerability allowing authenticated users with low privileges to modify site data or cause service disruptions. An attacker with a basic user account can alter content or temporarily disable functionality without requiring user interaction. The vulnerability affects the integrity and availability of the site.
What an attacker can do
03Attacker Capabilities
Modify site data or cause temporary service disruptions with a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized changes to site content or temporary unavailability of features by compromised low-privilege accounts.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account; no user interaction required.
Key dates
06Disclosure timeline
December 30, 2025
CVE published
April 28, 2026
Record updated