Skip to main content

Booking and Rental Manager CVE-2026-57660

| EUVDEUVD-2026-39665 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-55q6-vh7x-32vm
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated endpoint with no complexity; only limited integrity impact from unauthorized booking actions, no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:08 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions.

AnalysisAI

Unauthenticated broken access control in the Booking and Rental Manager WordPress plugin (versions <= 2.7.1) allows remote unauthenticated attackers to perform restricted actions, resulting in unauthorized integrity modifications to booking or rental data. The flaw stems from missing authorization checks (CWE-862), meaning any network-accessible request can bypass intended access controls without credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin
Exploit
Send unauthenticated HTTP request to exposed endpoint
Execution
Bypass missing authorization check
Impact
Perform restricted booking action

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond having the Booking and Rental Manager plugin installed and active on a WordPress/WooCommerce site - the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against default plugin configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately characterizes the risk as limited in practical impact: only integrity is affected (I:L), with no confidentiality exposure (C:N) and no availability impact (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running Booking and Rental Manager <= 2.7.1 and sends a crafted HTTP request to the plugin's unprotected AJAX or REST endpoint, invoking a privileged action such as creating, modifying, or canceling a booking without any credentials. No public proof-of-concept code has been identified, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) mean exploitation requires minimal technical skill once the target endpoint is known.
Remediation No vendor-released patch version was confirmed in the available intelligence at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy