CVE-2025-22737 identifies a missing authorization vulnerability in the magepeopleteam WpTravelly WordPress plugin, specifically within its tour-booking-manager component. The issue arises because certain functionality is not properly constrained by Access Control Lists (ACLs), allowing unauthorized users to invoke functions that should require specific permissions. This can lead to unauthorized access or manipulation of booking data or administrative functions within the plugin. The vulnerability affects all versions up to and including 1.8.5, with no patches currently available. The flaw does not require authentication or user interaction, increasing its risk profile. Although no exploits have been reported in the wild, the vulnerability's nature makes it a significant risk for websites using WpTravelly, particularly those managing sensitive customer booking information. The absence of a CVSS score necessitates an expert severity assessment, which rates this as high due to the potential impact on confidentiality and integrity and the ease of exploitation. The vulnerability underscores the importance of proper ACL implementation in WordPress plugins handling sensitive operations.

The missing authorization vulnerability in WpTravelly can have serious consequences for organizations relying on this plugin for tour booking management. Unauthorized access could allow attackers to view, modify, or delete booking information, customer data, or administrative settings, leading to data breaches, loss of customer trust, and operational disruption. In worst-case scenarios, attackers could manipulate bookings or financial transactions, causing financial loss and reputational damage. Since WordPress is widely used globally, any site using this plugin is at risk until patched. The vulnerability could also be leveraged as a foothold for further attacks within the compromised environment. Organizations in the travel and tourism sector, especially those with high volumes of bookings or sensitive customer data, face elevated risks. The lack of authentication requirements for exploitation broadens the attack surface, making automated or remote exploitation feasible.

Organizations using the WpTravelly plugin should immediately audit their WordPress installations to identify affected versions (<=1.8.5). Until an official patch is released, administrators should restrict access to the plugin’s administrative interfaces using web application firewalls (WAFs), IP whitelisting, or other access control mechanisms. Disabling or uninstalling the plugin temporarily can be considered if feasible. Monitoring logs for unusual activity related to booking management functions is critical to detect potential exploitation attempts. Developers and site administrators should subscribe to vendor or security mailing lists to receive patch notifications promptly. Once a patch is available, it should be applied without delay. Additionally, implementing the principle of least privilege for WordPress user roles and regularly reviewing ACL configurations can reduce risk. Employing security plugins that enforce stricter access controls and conducting penetration testing focused on authorization checks can help identify similar issues proactively.