CVE-2025-22737: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-22737) was discovered in MagePeople Team's WpTravelly WordPress plugin, affecting versions through 1.8.5. The vulnerability was reported by security researcher thiennv and publicly disclosed on January 14, 2025. WpTravelly is a tour and travel booking plugin for WooCommerce that was found to have broken access control issues (Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) where functionality is not properly constrained by Access Control Lists (ACLs). The vulnerability received a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (Patchstack).

The vulnerability allows unauthenticated users to execute certain higher-privileged actions due to broken access control mechanisms. While the specific impact varies case by case, the CVSS scoring indicates that the vulnerability primarily affects the integrity of the system with limited impact (Patchstack).

The vulnerability has been fixed in version 1.8.6 of the WpTravelly plugin. Users are advised to update to version 1.8.6 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is unlikely to be exploited (Patchstack).