Skip to main content

Booking Package CVE-2026-40774

| EUVDEUVD-2026-36983 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-8367-f83r-jqj5
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress endpoint (AV:N), no auth or interaction required per "unauthenticated" description (PR:N/UI:N), broken access control tampers with booking data (I:H) without exposing or destroying it (C:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:10 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.

AnalysisAI

Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.

Technical ContextAI

Booking Package is a SaaSProject-developed WordPress plugin (CPE cpe:2.3:a:saasproject:booking_package) that exposes appointment and reservation management to site administrators through WordPress AJAX/REST endpoints. CWE-862 (Missing Authorization) indicates one or more of these endpoints fail to perform a capability check (current_user_can) or nonce verification before executing privileged operations, so requests from unauthenticated visitors are processed as if they were authorized. This pattern is common in WordPress plugins when admin-ajax actions are registered with the wp_ajax_nopriv_ prefix or REST routes omit a permission_callback.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should upgrade the Booking Package plugin to the latest version published after 1.7.06 from the WordPress.org plugin repository or the SaaSProject vendor site, consulting https://patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-7-06-broken-access-control-vulnerability for the exact fixed release. Until the upgrade is applied, compensating controls include disabling and deactivating the Booking Package plugin entirely (which removes booking functionality from the site), or placing the affected admin-ajax.php and /wp-json/ REST endpoints behind a WAF rule (Patchstack/Wordfence virtual patch) that blocks unauthenticated requests carrying the plugin's action parameters - at the cost of potentially blocking legitimate front-end booking flows that rely on the same endpoints. Restricting access to wp-admin/admin-ajax.php to authenticated sessions only is not viable here because WordPress requires nopriv endpoints for many front-end features, so a targeted WAF rule is preferable.

Share

CVE-2026-40774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy