Skip to main content

WpBookingly EUVDEUVD-2026-31964

| CVE-2026-25444 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-5r4v-72rx-mg8x
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:11 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WpBookingly: from n/a through 1.2.9.

AnalysisAI

Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.

Technical ContextAI

WpBookingly is a WordPress service booking manager plugin developed by Magepeople Inc., identified by CPE cpe:2.3:a:magepeople_inc.:wpbookingly:*:*:*:*:*:*:*:* covering all versions through 1.2.9. CWE-862 (Missing Authorization) indicates the plugin executes privileged operations - likely via WordPress AJAX handlers, REST API endpoints, or admin-facing actions - without verifying whether the requesting authenticated user holds the appropriate WordPress capability or role. This class of flaw is common in WordPress plugins where developers check authentication state (e.g., is_user_logged_in() or nonce verification) but omit capability checks (e.g., current_user_can()), allowing any authenticated session to trigger functionality intended only for administrators or booking managers.

RemediationAI

Administrators running WpBookingly version 1.2.9 or earlier should update to the next available patched release via the WordPress plugin dashboard or the official plugin repository. A specific patched version number is not confirmed in the available data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/service-booking-manager/vulnerability/wordpress-wpbookingly-plugin-1-2-9-broken-access-control-vulnerability-2 should be monitored for a confirmed fix version. As a compensating control in the interim, restrict the WordPress installation to trusted authenticated users only by disabling open registration or subscriber-level account creation, which removes the untrusted authenticated user prerequisite and effectively neutralizes the attack vector. For high-sensitivity deployments, temporarily deactivating the WpBookingly plugin eliminates exposure entirely, at the cost of disabling booking functionality. The Patchstack Firewall (available in their free tier for WordPress) can also be used to virtually patch this vulnerability without requiring a plugin update.

Share

EUVD-2026-31964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy