Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WpBookingly: from n/a through 1.2.9.
AnalysisAI
Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.
Technical ContextAI
WpBookingly is a WordPress service booking manager plugin developed by Magepeople Inc., identified by CPE cpe:2.3:a:magepeople_inc.:wpbookingly:*:*:*:*:*:*:*:* covering all versions through 1.2.9. CWE-862 (Missing Authorization) indicates the plugin executes privileged operations - likely via WordPress AJAX handlers, REST API endpoints, or admin-facing actions - without verifying whether the requesting authenticated user holds the appropriate WordPress capability or role. This class of flaw is common in WordPress plugins where developers check authentication state (e.g., is_user_logged_in() or nonce verification) but omit capability checks (e.g., current_user_can()), allowing any authenticated session to trigger functionality intended only for administrators or booking managers.
RemediationAI
Administrators running WpBookingly version 1.2.9 or earlier should update to the next available patched release via the WordPress plugin dashboard or the official plugin repository. A specific patched version number is not confirmed in the available data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/service-booking-manager/vulnerability/wordpress-wpbookingly-plugin-1-2-9-broken-access-control-vulnerability-2 should be monitored for a confirmed fix version. As a compensating control in the interim, restrict the WordPress installation to trusted authenticated users only by disabling open registration or subscriber-level account creation, which removes the untrusted authenticated user prerequisite and effectively neutralizes the attack vector. For high-sensitivity deployments, temporarily deactivating the WpBookingly plugin eliminates exposure entirely, at the cost of disabling booking functionality. The Patchstack Firewall (available in their free tier for WordPress) can also be used to virtually patch this vulnerability without requiring a plugin update.
More in Wpbookingly
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31964
GHSA-5r4v-72rx-mg8x