CVE-2024-11926

Name of the Vulnerable Software and Affected Versions Travel Booking WordPress Theme versions up to, and including, 3.1.6

Description The issue allows authenticated attackers with Subscriber-level access and above to modify data without permission due to a missing capability check on several functions, including stPartnerCreateServiceRental, st delete order item, st partner approve booking, save order item, and userDenyEachInfo. This enables attackers to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information.

Recommendations For versions up to, and including, 3.1.6, update to a version that includes a fix for the missing capability check issue to prevent unauthorized data modification. As a temporary workaround, consider disabling the stPartnerCreateServiceRental, st delete order item, st partner approve booking, save order item, and userDenyEachInfo functions until a patch is available. Restrict access to the theme's functionality to minimize the risk of exploitation, ensuring only authorized users can perform sensitive actions.