Skip to main content

WP BASE Booking EUVDEUVD-2026-36968

| CVE-2026-39587 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-23mx-4w8p-jgwp
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable WordPress endpoint, no authentication or user interaction, full site takeover impacts CIA; AC:H reflects an undisclosed non-trivial precondition noted by Patchstack.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:16 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.

AnalysisAI

Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.

Technical ContextAI

WP BASE Booking (CPE cpe:2.3:a:hakan_ozevin:wp_base_booking) is a WordPress plugin for booking appointments, services, and events. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege level - or accepts an action - that should be restricted to higher-privileged roles. In WordPress plugins this class of bug typically arises from missing capability checks (current_user_can) or unauthenticated AJAX/REST endpoints that perform privileged actions such as role assignment, user creation, or option updates without verifying the caller's role.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory lists affected versions as ≤5.9.0 but does not confirm a fixed release in the inputs supplied. Site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-base-booking-of-appointments-services-and-events/vulnerability/wordpress-wp-base-booking-plugin-5-9-0-privilege-escalation-vulnerability for the latest fix status and upgrade to any version greater than 5.9.0 once released. As compensating controls until a patch is applied, deactivate the WP BASE Booking plugin (which will disable booking functionality on the site), or place the WordPress admin and plugin AJAX/REST endpoints (/wp-admin/admin-ajax.php, /wp-json/) behind a WAF rule or virtual patch from Patchstack/Wordfence that blocks anonymous requests targeting the plugin's namespace, accepting that overly broad rules may break legitimate front-end booking flows.

Share

EUVD-2026-36968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy