Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Book Landing Page book-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Landing Page: from n/a through <= 1.2.7.
AnalysisAI
Improper access control in raratheme Book Landing Page through version 1.2.7 permits unauthenticated attackers to modify content or data without proper authorization checks. The vulnerability stems from missing authentication validation on protected operations, allowing remote exploitation without user interaction. No patch is currently available.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where software fails to properly verify that a user has permission to perform a requested action before executing it. The Book Landing Page plugin, developed by raratheme, implements endpoint handlers or functionality that accept user requests without sufficient authorization checks. The affected component likely manages book landing page content, metadata, or configuration through web-accessible endpoints that do not validate user privileges or session tokens. This is typical in WordPress plugin architectures where custom post types or admin AJAX actions are exposed without proper capability checks (wp_verify_nonce, current_user_can, etc.). The vulnerability affects versions 1.2.7 and earlier, suggesting the authorization framework may have been added or improved in later versions.
RemediationAI
The primary remediation is to upgrade the Book Landing Page plugin to version 1.2.8 or later, which should include proper authorization checks on all data-modifying endpoints. Users should immediately apply the patch through their WordPress dashboard (Plugins > Installed Plugins > Book Landing Page > Update) or via WordPress CLI (wp plugin update book-landing-page). As an interim workaround until patching is possible, administrators should disable the plugin and reactivate it only after upgrading, or restrict access to wp-admin and plugin endpoints using web application firewall (WAF) rules or .htaccess restrictions to limit exposure. Additionally, conduct a security audit of recent changes to book landing pages to identify any unauthorized modifications that may have occurred, and consider implementing role-based access controls at the application level to enforce least-privilege principles.
More in Book Landing Page
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11880