What is the CVSS score of CVE-2025-66105?

CVE-2025-66105 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-66105?

Yes, a patch is available for CVE-2025-66105. Update the affected software to the latest version immediately.

Bus Ticket Booking with Seat Reservation CVE-2025-66105

EUVD-2025-209714 MEDIUM

Missing Authorization (CWE-862)

2026-05-07 Patchstack

GHSA-jwq4-hvc6-vpm4

Authentication Bypass Bus Ticket Booking With Seat Reservation

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

May 07, 2026 - 10:16 EUVD

Analysis Generated

May 07, 2026 - 09:01 vuln.today

CVE Published

May 07, 2026 - 07:46 nvd

MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8.

AnalysisAI

Missing authorization controls in the Magepeople Inc. Bus Ticket Booking with Seat Reservation WordPress plugin allow unauthenticated remote attackers to modify data (such as ticket bookings or seat reservations) through incorrectly configured access control security levels. The vulnerability affects versions before 5.6.8 and has a CVSS score of 5.3 (medium severity) with a network attack vector requiring no authentication or user interaction.

Technical ContextAI

This is a broken access control vulnerability (CWE-862: Missing Authorization) in a WordPress plugin that manages bus ticket reservations and seat allocation. The plugin fails to properly validate user permissions before allowing modifications to protected resources. WordPress plugins are executed server-side within the WordPress application context, and improper access control checks allow attackers to bypass intended authorization mechanisms. The vulnerability likely exists in REST API endpoints, AJAX handlers, or admin functions that lack proper capability checks (nonce verification and user role validation), which are standard WordPress security controls for preventing unauthorized data modification.

RemediationAI

Update the Bus Ticket Booking with Seat Reservation plugin to version 5.6.8 or later immediately. Users should navigate to WordPress admin dashboard, go to Plugins > Installed Plugins, locate the plugin, and click Update if available. If automatic updates are not enabled, download version 5.6.8 or later from https://patchstack.com/database/wordpress/plugin/bus-ticket-booking-with-seat-reservation and upload manually via the WordPress plugin installer. For sites unable to update immediately, implement WordPress security hardening: restrict admin-ajax.php requests to authenticated users via .htaccess or firewall rules, disable REST API access for unauthorized users by adding define('REST_REQUEST', false) conditionally in wp-config.php (with caution as this may break legitimate functionality), and monitor access logs for POST/PUT/DELETE requests from unexpected sources. Test all mitigations against legitimate booking functionality before production deployment, as overly restrictive access controls may prevent customers from making reservations.

CVE-2025-66105 vulnerability details – vuln.today

Back

Bus Ticket Booking with Seat Reservation CVE-2025-66105

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code