Skip to main content

Pinpoint Booking System CVE-2026-39678

| EUVDEUVD-2026-20359 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-8ppv-64cq-c7jh
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20359
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.6.5.

AnalysisAI

Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization) in the Pinpoint Booking System WordPress plugin, indicating that application endpoints lack proper access control verification before serving sensitive resources. The plugin fails to validate user permissions or authentication tokens when processing booking-related requests, allowing unauthenticated network clients to directly access endpoints that should be restricted. The attack requires no user interaction or complex prerequisites (AC:L), making the underlying authorization logic a fundamental architectural weakness rather than a complex exploitation requirement.

RemediationAI

Update DOTonPAPER Pinpoint Booking System to a version higher than 2.9.9.6.5; the vendor's Patchstack advisory should be consulted for the exact patched release number. Users unable to immediately update should restrict access to booking endpoints via Web Application Firewall (WAF) rules or htaccess/nginx directives to require authentication tokens or IP whitelisting. The Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/booking-system/vulnerability/wordpress-pinpoint-booking-system-plugin-2-9-9-6-5-broken-access-control-vulnerability?_s_id=cve) and NIST CVE detail (https://nvd.nist.gov/vuln/detail/CVE-2026-39678) provide advisory context.

Share

CVE-2026-39678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy