Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress endpoint with low complexity (PR:N, AV:N, AC:L); IDOR exposes other users' data only, so C:H with I:N and A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
AnalysisAI
Unauthenticated Insecure Direct Object References in the VikRentCar WordPress plugin versions 1.4.5 and earlier allow remote attackers to access sensitive resources belonging to other users by manipulating predictable object identifiers. The flaw was disclosed via Patchstack and affects WordPress sites running the e4jvikwp VikRentCar booking plugin, with no public exploit identified at time of analysis but a high CVSS confidentiality impact reflecting potential exposure of booking, customer, or reservation data.
Technical ContextAI
VikRentCar is a WordPress plugin (vendor e4jvikwp) used for car rental booking management on WordPress sites, identified by CPE cpe:2.3:a:e4jvikwp:vikrentcar. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the application exposes a reference to an internal object - typically a numeric ID passed in a request parameter - without verifying that the requester is authorized to access it. As a result, an attacker can substitute another user's identifier and retrieve resources that should be access-controlled, bypassing the plugin's intended authorization model.
RemediationAI
Patch available per vendor advisory - upgrade the VikRentCar plugin to a version newer than 1.4.5 as published by e4jvikwp, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/vikrentcar/vulnerability/wordpress-vikrentcar-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability for the exact fixed release. If immediate patching is not feasible, deactivate the VikRentCar plugin entirely (which disables the rental booking functionality on the site), or place the WordPress site behind a WAF such as Patchstack, Wordfence, or Cloudflare with virtual-patching rules for this CVE - note that generic WAF rules may miss the specific vulnerable parameter and should be validated. As an additional compensating control, restrict access to the plugin's relevant endpoints via web-server-level access rules or IP allowlisting for administrative paths, accepting the trade-off that legitimate front-end booking functionality may be impaired.
More in Vikrentcar
View allThe VikRentCar Car Rental Management System WordPress plugin before 1.3.2 does not have CSRF checks in some places, whic
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E4J s.R.L. Rated c
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all vers
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36904
GHSA-2xgc-784m-6j64