CVE-2026-27089: WordPress WpTravelly plugin <= 2.1.7 - Bypass Vulnerability vulnerability
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authentication bypass vulnerability affects the WpTravelly WordPress plugin by Magepeople Inc. in versions 2.1.7 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any remote attacker. Successful exploitation grants the attacker the ability to tamper with site data or application logic, achieving high-integrity impact without any credentials. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-27089 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle the WpTravelly plugin. Coverage applies to both registry scans and in-pipeline image checks at build time.
AvailableTriage is available with a CVSS v3.1 score of 7.5 (HIGH), weighted further against each customer org's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox inside each customer organization based on configured ownership rules.
AvailableNo fix version has been published for CVE-2026-27089 at this time, so HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once a fix version is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; any internet-facing WordPress instance running WpTravelly is exposed.
- AuthenticationNot required
No account or session credentials are needed; the attacker can reach the vulnerable code path as an unauthenticated visitor.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is fully self-contained.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or environmental preconditions.
Blast Radius
- The attacker bypasses access controls that would normally gate privileged operations within the WpTravelly plugin.
- Plugin data, travel listings, pricing records, or booking configurations can be modified or corrupted without any prior login.
- Site integrity is compromised, enabling persistent changes to content or settings that persist across user sessions.
How HarborGuard Handles This
Available on HarborGuard: detection for this vulnerability is active and matched against any customer image containing WpTravelly 2.1.7 or earlier. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. In the interim, customers can apply compensating controls by using network policy to restrict external access to affected WordPress endpoints, enabling egress filtering to limit the plugin's outbound reach, and reviewing any feature-flag or capability settings in WordPress that can limit the plugin's write permissions. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps once an upstream patch is confirmed.
- Magepeople inc. / WpTravelly≤ 2.1.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N