Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WpBookingly: from n/a through 1.2.9.
AnalysisAI
Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Technical ContextAI
WpBookingly is a WordPress service booking management plugin developed by Magepeople Inc., identified by CPE cpe:2.3:a:magepeople_inc.:wpbookingly:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where the application performs a sensitive action - such as modifying or deleting booking records - without verifying that the requesting user is authorized to do so, even when authentication is present. In WordPress plugin architecture, this typically manifests as AJAX handlers, REST API endpoints, or admin-panel actions that check for authentication (nonce or login status) but omit a capabilities check (e.g., current_user_can()), allowing privilege escalation within the WordPress role hierarchy. The CVSS vector AV:N/AC:L/PR:H/UI:N indicates the flaw is reachable over the network with no user interaction, but requires high-privilege credentials to trigger.
RemediationAI
The primary remediation is to update the WpBookingly plugin to a version beyond 1.2.9 once a patched release is published by Magepeople Inc.; however, no explicit patched version number was confirmed in the available intelligence data - verify the latest version via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/service-booking-manager/vulnerability/wordpress-wpbookingly-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve before upgrading. As a compensating control pending a patch, restrict the WordPress Administrator role to only fully trusted accounts and audit existing admin-level users to eliminate unnecessary privilege grants. In high-sensitivity environments, consider temporarily deactivating the plugin if booking functionality is non-critical, accepting the trade-off of service disruption. Web Application Firewall (WAF) rules targeting unauthorized access to the plugin's specific AJAX or REST endpoints may provide partial mitigation but are not a substitute for the official patch.
More in Wpbookingly
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31097
GHSA-v254-7qjr-r9fr