Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable WordPress endpoint (AV:N), no auth or interaction required per "unauthenticated" description (PR:N/UI:N), broken access control tampers with booking data (I:H) without exposing or destroying it (C:N/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.
AnalysisAI
Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.
Technical ContextAI
Booking Package is a SaaSProject-developed WordPress plugin (CPE cpe:2.3:a:saasproject:booking_package) that exposes appointment and reservation management to site administrators through WordPress AJAX/REST endpoints. CWE-862 (Missing Authorization) indicates one or more of these endpoints fail to perform a capability check (current_user_can) or nonce verification before executing privileged operations, so requests from unauthenticated visitors are processed as if they were authorized. This pattern is common in WordPress plugins when admin-ajax actions are registered with the wp_ajax_nopriv_ prefix or REST routes omit a permission_callback.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should upgrade the Booking Package plugin to the latest version published after 1.7.06 from the WordPress.org plugin repository or the SaaSProject vendor site, consulting https://patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-7-06-broken-access-control-vulnerability for the exact fixed release. Until the upgrade is applied, compensating controls include disabling and deactivating the Booking Package plugin entirely (which removes booking functionality from the site), or placing the affected admin-ajax.php and /wp-json/ REST endpoints behind a WAF rule (Patchstack/Wordfence virtual patch) that blocks unauthenticated requests carrying the plugin's action parameters - at the cost of potentially blocking legitimate front-end booking flows that rely on the same endpoints. Restricting access to wp-admin/admin-ajax.php to authenticated sessions only is not viable here because WordPress requires nopriv endpoints for many front-end features, so a targeted WAF rule is preferable.
More in Booking Package
View allThe Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's bookin
Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36983
GHSA-8367-f83r-jqj5