Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable plugin endpoint requires no authentication; only partial integrity impact confirmed, with no confidentiality or availability consequence described.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7.
AnalysisAI
Missing authorization controls in the Car Rental Manager WordPress plugin (≤1.3.7) allow unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited integrity impact. The CVSS vector (PR:N/UI:N) confirms exploitation requires no credentials or user interaction against any publicly reachable WordPress site running the affected plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site has the Car Rental Manager plugin installed and active in version 1.3.7 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 Medium is supported by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating trivial remote exploitability with no authentication barrier, but limited to a partial integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running Car Rental Manager ≤1.3.7, then sends a crafted HTTP POST request directly to the plugin's unprotected AJAX handler or REST endpoint, bypassing the missing authorization check. The attacker successfully modifies rental booking records, plugin settings, or vehicle availability data without holding any WordPress account. … |
| Remediation | Update the Car Rental Manager plugin beyond version 1.3.7 as soon as a patched release is available from the plugin author (magepeopleteam). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43321