Skip to main content

VikRentCar CVE-2026-52699

| EUVDEUVD-2026-36904 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 Patchstack GHSA-2xgc-784m-6j64
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint with low complexity (PR:N, AV:N, AC:L); IDOR exposes other users' data only, so C:H with I:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:24 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.

AnalysisAI

Unauthenticated Insecure Direct Object References in the VikRentCar WordPress plugin versions 1.4.5 and earlier allow remote attackers to access sensitive resources belonging to other users by manipulating predictable object identifiers. The flaw was disclosed via Patchstack and affects WordPress sites running the e4jvikwp VikRentCar booking plugin, with no public exploit identified at time of analysis but a high CVSS confidentiality impact reflecting potential exposure of booking, customer, or reservation data.

Technical ContextAI

VikRentCar is a WordPress plugin (vendor e4jvikwp) used for car rental booking management on WordPress sites, identified by CPE cpe:2.3:a:e4jvikwp:vikrentcar. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the application exposes a reference to an internal object - typically a numeric ID passed in a request parameter - without verifying that the requester is authorized to access it. As a result, an attacker can substitute another user's identifier and retrieve resources that should be access-controlled, bypassing the plugin's intended authorization model.

RemediationAI

Patch available per vendor advisory - upgrade the VikRentCar plugin to a version newer than 1.4.5 as published by e4jvikwp, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/vikrentcar/vulnerability/wordpress-vikrentcar-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability for the exact fixed release. If immediate patching is not feasible, deactivate the VikRentCar plugin entirely (which disables the rental booking functionality on the site), or place the WordPress site behind a WAF such as Patchstack, Wordfence, or Cloudflare with virtual-patching rules for this CVE - note that generic WAF rules may miss the specific vulnerable parameter and should be validated. As an additional compensating control, restrict access to the plugin's relevant endpoints via web-server-level access rules or IP allowlisting for administrative paths, accepting the trade-off that legitimate front-end booking functionality may be impaired.

Share

CVE-2026-52699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy