Skip to main content

Booking Activities CVE-2026-39525

| EUVDEUVD-2026-36958 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-85jw-qgjm-2hxq
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated endpoint with no complexity barriers; impact limited to low integrity and availability, no data exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:12 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.

AnalysisAI

Broken access control in the Booking Activities WordPress plugin (versions up to and including 1.16.48.1) enables unauthenticated remote attackers to perform restricted booking-related operations without authorization. Rooted in CWE-862 (Missing Authorization), the flaw bypasses access controls at the network level with no privileges or user interaction required, resulting in low-severity integrity and availability impacts - likely allowing unauthorized creation, modification, or cancellation of bookings. No public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

Booking Activities is a WordPress plugin (CPE: cpe:2.3:a:booking_activities_team:booking_activities:*:*:*:*:*:*:*:*) that provides activity scheduling and reservation management functionality. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that one or more plugin endpoints - likely REST API routes or AJAX handlers registered via WordPress hooks - fail to validate whether the requesting user holds sufficient permissions before executing sensitive operations. This class of flaw is common in WordPress plugins where developers rely on obscurity of endpoint names rather than explicit capability or nonce checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerable endpoint is reachable over the network without any credential or session context.

RemediationAI

No exact patched version number was provided in the available intelligence data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-48-1-broken-access-control-vulnerability) and the WordPress plugin repository should be consulted for the latest fixed release. As an interim compensating control, site administrators can restrict access to plugin AJAX endpoints and REST routes by enforcing authentication at the web server or WAF layer - for example, requiring a valid WordPress session cookie for requests to wp-admin/admin-ajax.php or the relevant REST namespace. This may break unauthenticated frontend booking flows and should be tested in staging before production deployment. Additionally, consider using a WordPress security plugin (e.g., Wordfence, Patchstack Firewall) capable of virtually patching this specific CVE while an official update is applied.

Share

CVE-2026-39525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy