Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable unauthenticated endpoint with no complexity barriers; impact limited to low integrity and availability, no data exposure.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
AnalysisAI
Broken access control in the Booking Activities WordPress plugin (versions up to and including 1.16.48.1) enables unauthenticated remote attackers to perform restricted booking-related operations without authorization. Rooted in CWE-862 (Missing Authorization), the flaw bypasses access controls at the network level with no privileges or user interaction required, resulting in low-severity integrity and availability impacts - likely allowing unauthorized creation, modification, or cancellation of bookings. No public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
Booking Activities is a WordPress plugin (CPE: cpe:2.3:a:booking_activities_team:booking_activities:*:*:*:*:*:*:*:*) that provides activity scheduling and reservation management functionality. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that one or more plugin endpoints - likely REST API routes or AJAX handlers registered via WordPress hooks - fail to validate whether the requesting user holds sufficient permissions before executing sensitive operations. This class of flaw is common in WordPress plugins where developers rely on obscurity of endpoint names rather than explicit capability or nonce checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerable endpoint is reachable over the network without any credential or session context.
RemediationAI
No exact patched version number was provided in the available intelligence data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-48-1-broken-access-control-vulnerability) and the WordPress plugin repository should be consulted for the latest fixed release. As an interim compensating control, site administrators can restrict access to plugin AJAX endpoints and REST routes by enforcing authentication at the web server or WAF layer - for example, requiring a valid WordPress session cookie for requests to wp-admin/admin-ajax.php or the relevant REST namespace. This may break unauthenticated frontend booking flows and should be tested in staging before production deployment. Additionally, consider using a WordPress security plugin (e.g., Wordfence, Patchstack Firewall) capable of virtually patching this specific CVE while an official update is applied.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36958
GHSA-85jw-qgjm-2hxq