Skip to main content

Bus Ticket Booking with Seat Reservation EUVD-2025-209714

| CVE-2025-66105 MEDIUM
Missing Authorization (CWE-862)
2026-05-07 Patchstack GHSA-jwq4-hvc6-vpm4
Authentication Bypass Bus Ticket Booking With Seat Reservation
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 07, 2026 - 10:16 EUVD
Analysis Generated
May 07, 2026 - 09:01 vuln.today
CVE Published
May 07, 2026 - 07:46 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8.

AnalysisAI

Missing authorization controls in the Magepeople Inc. Bus Ticket Booking with Seat Reservation WordPress plugin allow unauthenticated remote attackers to modify data (such as ticket bookings or seat reservations) through incorrectly configured access control security levels. The vulnerability affects versions before 5.6.8 and has a CVSS score of 5.3 (medium severity) with a network attack vector requiring no authentication or user interaction.

Technical ContextAI

This is a broken access control vulnerability (CWE-862: Missing Authorization) in a WordPress plugin that manages bus ticket reservations and seat allocation. The plugin fails to properly validate user permissions before allowing modifications to protected resources. WordPress plugins are executed server-side within the WordPress application context, and improper access control checks allow attackers to bypass intended authorization mechanisms. The vulnerability likely exists in REST API endpoints, AJAX handlers, or admin functions that lack proper capability checks (nonce verification and user role validation), which are standard WordPress security controls for preventing unauthorized data modification.

RemediationAI

Update the Bus Ticket Booking with Seat Reservation plugin to version 5.6.8 or later immediately. Users should navigate to WordPress admin dashboard, go to Plugins > Installed Plugins, locate the plugin, and click Update if available. If automatic updates are not enabled, download version 5.6.8 or later from https://patchstack.com/database/wordpress/plugin/bus-ticket-booking-with-seat-reservation and upload manually via the WordPress plugin installer. For sites unable to update immediately, implement WordPress security hardening: restrict admin-ajax.php requests to authenticated users via .htaccess or firewall rules, disable REST API access for unauthorized users by adding define('REST_REQUEST', false) conditionally in wp-config.php (with caution as this may break legitimate functionality), and monitor access logs for POST/PUT/DELETE requests from unexpected sources. Test all mitigations against legitimate booking functionality before production deployment, as overly restrictive access controls may prevent customers from making reservations.

Share

EUVD-2025-209714 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy