Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from n/a through <= 1.10.11.
AnalysisAI
Webmuehle Court Reservation WordPress plugin versions up to 1.10.11 fail to properly validate user permissions, allowing unauthenticated remote attackers to modify court reservation data through incorrectly configured access control checks. The vulnerability enables integrity attacks against the reservation system despite missing confidentiality and availability impact. With EPSS score of 0.02% and no KEV confirmation, real-world exploitation risk is minimal, though the authentication bypass vector presents a foundational security gap.
Technical ContextAI
The vulnerability stems from improper implementation of authorization controls (CWE-862: Missing Authorization) in the webmuehle Court Reservation WordPress plugin. Rather than a cryptographic or protocol weakness, this is a business logic flaw where the application fails to enforce role-based or capability-based access controls before permitting modifications to court reservation objects. The CVSS vector AV:N/AC:L/PR:N indicates the vulnerability is exploitable remotely without prior authentication or user interaction, meaning the plugin likely exposes reservation-modification endpoints that lack server-side permission verification. This is characteristic of WordPress plugins that implement custom REST API endpoints or form handlers without proper capability checks using wp_verify_nonce() and current_user_can() functions.
RemediationAI
Immediately upgrade webmuehle Court Reservation to the patched version released after 1.10.11, ensuring all installed instances reflect this update. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/court-reservation/vulnerability/wordpress-court-reservation-plugin-1-10-11-broken-access-control-vulnerability?_s_id=cve provides vendor-specific guidance and may include interim security recommendations. As a temporary mitigation pending upgrade, restrict plugin functionality using WordPress user role management or Web Application Firewall rules to block unauthorized POST/PUT requests to reservation endpoints; however, such workarounds do not address the root authorization flaw and should not delay patching. Verify successful remediation by auditing server logs for unauthenticated modification requests and testing permission controls on court reservation objects as non-admin users.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20354
GHSA-4vx8-jp4c-q9c5