CVE-2025-68042
Missing Authorization in Travelpayouts β€ 1.2.1 Enables Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| travelpayouts | travelpayouts | to 1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68042 is a medium priority Broken Access Control vulnerability in the WordPress Travelpayouts Plugin versions up to and including 1.2.1.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unprivileged users to perform actions that should be restricted to higher privileged roles.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized changes or access within the affected WordPress site.
Because it is classified as a Broken Access Control issue with a CVSS score of 6.5, it poses a moderate security risk that could compromise the integrity and security of your website.
No official patch is currently available, so users must rely on mitigation rules to block attacks targeting this flaw until a patch is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection commands or methods to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for CVE-2025-68042, immediate mitigation involves applying the Patchstack mitigation rule that can block attacks targeting this vulnerability.
Users are advised to apply these mitigations immediately to protect their websites from exploitation due to missing authorization checks in the Travelpayouts WordPress plugin versions up to 1.2.1.