Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in igms iGMS Direct Booking igms-direct-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iGMS Direct Booking: from n/a through <= 1.3.
AnalysisAI
Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the application fails to enforce proper access control checks on sensitive resources or operations. iGMS Direct Booking is a WordPress plugin (CPE: cpe:2.3:a:igms:igms_direct_booking:*:*:*:*:*:*:*:*) for hotel and accommodation booking management; the broken access control allows attackers to bypass security levels that should restrict access to booking data or administrative functions. The issue is classified as an authentication bypass, indicating that access control validation is either missing or improperly configured, likely in endpoints that handle booking queries or user data retrieval.
RemediationAI
Upgrade iGMS Direct Booking plugin to a version higher than 1.3 as soon as possible; the plugin author should release a patched version addressing the access control misconfiguration. If an immediate patch is not available, apply any access control hardening recommendations provided by the plugin vendor through their security advisory. Site administrators should verify in the plugin settings that booking data and administrative functions are restricted to authenticated users with appropriate roles (e.g., site administrators or booking managers only), and audit recent access logs to identify any unauthorized data reads through the affected endpoints. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/igms-direct-booking/vulnerability/wordpress-igms-direct-booking-plugin-1-3-broken-access-control-vulnerability for detailed guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20319
GHSA-ghv4-9m2j-qg2p