Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Description explicitly states read (C:L), write/create/update (I:L), and delete (A:L) capabilities; published C:N/A:N omits these per-description impacts.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.
AnalysisAI
Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the RentMy Real-Time Rental Management Plugin to be installed and activated on the target WordPress site running any version up to and including 4.0.4.1 - no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 5.3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) captures the unauthenticated network exposure and low complexity accurately, but rates only partial integrity impact and omits confidentiality and availability dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST request to the target WordPress site's wp-admin/admin-ajax.php endpoint, specifying one of the unprotected RentMy action names registered in class-rentmy-ajax.php. Without any session token or credentials, the attacker is able to enumerate, overwrite, or delete rental event records in the rentmy_events option and set rentmy_locationId to an attacker-controlled value, potentially disrupting booking workflows or poisoning location data. … |
| Remediation | No vendor-released patched version has been independently confirmed at time of analysis - the CPE wildcard covering all versions through 4.0.4.1 indicates the fix version is not yet documented in NVD or Wordfence data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38690
GHSA-6r7v-ww2r-2qpr