Skip to main content

Court Reservation EUVDEUVD-2026-20354

| CVE-2026-39675 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-4vx8-jp4c-q9c5
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20354
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from n/a through <= 1.10.11.

AnalysisAI

Webmuehle Court Reservation WordPress plugin versions up to 1.10.11 fail to properly validate user permissions, allowing unauthenticated remote attackers to modify court reservation data through incorrectly configured access control checks. The vulnerability enables integrity attacks against the reservation system despite missing confidentiality and availability impact. With EPSS score of 0.02% and no KEV confirmation, real-world exploitation risk is minimal, though the authentication bypass vector presents a foundational security gap.

Technical ContextAI

The vulnerability stems from improper implementation of authorization controls (CWE-862: Missing Authorization) in the webmuehle Court Reservation WordPress plugin. Rather than a cryptographic or protocol weakness, this is a business logic flaw where the application fails to enforce role-based or capability-based access controls before permitting modifications to court reservation objects. The CVSS vector AV:N/AC:L/PR:N indicates the vulnerability is exploitable remotely without prior authentication or user interaction, meaning the plugin likely exposes reservation-modification endpoints that lack server-side permission verification. This is characteristic of WordPress plugins that implement custom REST API endpoints or form handlers without proper capability checks using wp_verify_nonce() and current_user_can() functions.

RemediationAI

Immediately upgrade webmuehle Court Reservation to the patched version released after 1.10.11, ensuring all installed instances reflect this update. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/court-reservation/vulnerability/wordpress-court-reservation-plugin-1-10-11-broken-access-control-vulnerability?_s_id=cve provides vendor-specific guidance and may include interim security recommendations. As a temporary mitigation pending upgrade, restrict plugin functionality using WordPress user role management or Web Application Firewall rules to block unauthorized POST/PUT requests to reservation endpoints; however, such workarounds do not address the root authorization flaw and should not delay patching. Verify successful remediation by auditing server logs for unauthenticated modification requests and testing permission controls on court reservation objects as non-admin users.

Share

EUVD-2026-20354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy