CVE-2024-11926

Description

The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the __stPartnerCreateServiceRental, st_delete_order_item, _st_partner_approve_booking, save_order_item, and __userDenyEachInfo functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information.