Skip to main content

Igms Direct Booking CVE-2026-39652

| EUVDEUVD-2026-20319 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-ghv4-9m2j-qg2p
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20319
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in igms iGMS Direct Booking igms-direct-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iGMS Direct Booking: from n/a through <= 1.3.

AnalysisAI

Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the application fails to enforce proper access control checks on sensitive resources or operations. iGMS Direct Booking is a WordPress plugin (CPE: cpe:2.3:a:igms:igms_direct_booking:*:*:*:*:*:*:*:*) for hotel and accommodation booking management; the broken access control allows attackers to bypass security levels that should restrict access to booking data or administrative functions. The issue is classified as an authentication bypass, indicating that access control validation is either missing or improperly configured, likely in endpoints that handle booking queries or user data retrieval.

RemediationAI

Upgrade iGMS Direct Booking plugin to a version higher than 1.3 as soon as possible; the plugin author should release a patched version addressing the access control misconfiguration. If an immediate patch is not available, apply any access control hardening recommendations provided by the plugin vendor through their security advisory. Site administrators should verify in the plugin settings that booking data and administrative functions are restricted to authenticated users with appropriate roles (e.g., site administrators or booking managers only), and audit recent access logs to identify any unauthorized data reads through the affected endpoints. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/igms-direct-booking/vulnerability/wordpress-igms-direct-booking-plugin-1-3-broken-access-control-vulnerability for detailed guidance.

Share

CVE-2026-39652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy