Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint, no authentication or user interaction, full site takeover impacts CIA; AC:H reflects an undisclosed non-trivial precondition noted by Patchstack.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.
AnalysisAI
Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.
Technical ContextAI
WP BASE Booking (CPE cpe:2.3:a:hakan_ozevin:wp_base_booking) is a WordPress plugin for booking appointments, services, and events. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege level - or accepts an action - that should be restricted to higher-privileged roles. In WordPress plugins this class of bug typically arises from missing capability checks (current_user_can) or unauthenticated AJAX/REST endpoints that perform privileged actions such as role assignment, user creation, or option updates without verifying the caller's role.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory lists affected versions as ≤5.9.0 but does not confirm a fixed release in the inputs supplied. Site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-base-booking-of-appointments-services-and-events/vulnerability/wordpress-wp-base-booking-plugin-5-9-0-privilege-escalation-vulnerability for the latest fix status and upgrade to any version greater than 5.9.0 once released. As compensating controls until a patch is applied, deactivate the WP BASE Booking plugin (which will disable booking functionality on the site), or place the WordPress admin and plugin AJAX/REST endpoints (/wp-admin/admin-ajax.php, /wp-json/) behind a WAF rule or virtual patch from Patchstack/Wordfence that blocks anonymous requests targeting the plugin's namespace, accepting that overly broad rules may break legitimate front-end booking flows.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36968
GHSA-23mx-4w8p-jgwp