Skip to main content

Car Rental Manager CVE-2026-61985

| EUVDEUVD-2026-43321 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable plugin endpoint requires no authentication; only partial integrity impact confirmed, with no confidentiality or availability consequence described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 10:20 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7.

AnalysisAI

Missing authorization controls in the Car Rental Manager WordPress plugin (≤1.3.7) allow unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited integrity impact. The CVSS vector (PR:N/UI:N) confirms exploitation requires no credentials or user interaction against any publicly reachable WordPress site running the affected plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Car Rental Manager ≤1.3.7
Delivery
Discover unprotected plugin endpoint (AJAX/REST)
Exploit
Send unauthenticated crafted HTTP request
Execution
Bypass missing authorization check
Impact
Modify rental data or plugin configuration

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Car Rental Manager plugin installed and active in version 1.3.7 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 Medium is supported by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating trivial remote exploitability with no authentication barrier, but limited to a partial integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running Car Rental Manager ≤1.3.7, then sends a crafted HTTP POST request directly to the plugin's unprotected AJAX handler or REST endpoint, bypassing the missing authorization check. The attacker successfully modifies rental booking records, plugin settings, or vehicle availability data without holding any WordPress account. …
Remediation Update the Car Rental Manager plugin beyond version 1.3.7 as soon as a patched release is available from the plugin author (magepeopleteam). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy