Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable unauthenticated endpoint with no complexity; only limited integrity impact from unauthorized booking actions, no confidentiality or availability loss.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions.
AnalysisAI
Unauthenticated broken access control in the Booking and Rental Manager WordPress plugin (versions <= 2.7.1) allows remote unauthenticated attackers to perform restricted actions, resulting in unauthorized integrity modifications to booking or rental data. The flaw stems from missing authorization checks (CWE-862), meaning any network-accessible request can bypass intended access controls without credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond having the Booking and Rental Manager plugin installed and active on a WordPress/WooCommerce site - the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against default plugin configurations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the risk as limited in practical impact: only integrity is affected (I:L), with no confidentiality exposure (C:N) and no availability impact (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies a WordPress site running Booking and Rental Manager <= 2.7.1 and sends a crafted HTTP request to the plugin's unprotected AJAX or REST endpoint, invoking a privileged action such as creating, modifying, or canceling a booking without any credentials. No public proof-of-concept code has been identified, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) mean exploitation requires minimal technical skill once the target endpoint is known. |
| Remediation | No vendor-released patch version was confirmed in the available intelligence at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39665
GHSA-55q6-vh7x-32vm