Skip to main content

Webba Booking EUVDEUVD-2026-41055

| CVE-2026-27409 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Patchstack GHSA-pgwq-hmm6-jcx5
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated endpoint with no complexity barrier; impact is integrity-only and scoped to the vulnerable plugin system, with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 16:56 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Webba Plugins Webba Booking allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Webba Booking: from n/a through 6.4.13.

AnalysisAI

Unauthenticated remote attackers can bypass access controls in the Webba Booking WordPress plugin (all versions through 6.4.13) due to missing server-side authorization checks on one or more booking-related endpoints, enabling unauthorized integrity-affecting actions such as creating, modifying, or canceling bookings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero-friction exploitation requiring no credentials or user interaction against any internet-facing WordPress site running the affected plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running Webba Booking ≤6.4.13
Exploit
Send unauthenticated HTTP request to unprotected booking endpoint
Execution
Bypass missing authorization check
Impact
Perform unauthorized booking data write operation

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress installation to have the Webba Booking plugin installed and active at version 6.4.13 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) reflects a genuinely limited impact profile: while the attack is fully unauthenticated and network-reachable with low complexity (AV:N/AC:L/PR:N/UI:N), the scope is unaffected (S:U) and impact is confined to partial integrity (I:L) with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with no account or prior access scans for WordPress sites running Webba Booking via passive reconnaissance (e.g., wappalyzer fingerprinting, plugin enumeration) and sends a crafted unauthenticated HTTP POST request to the vulnerable booking endpoint. The missing authorization check allows the request to proceed, enabling the attacker to manipulate booking records - for example, bulk-canceling appointments or injecting fraudulent reservations - without ever authenticating. …
Remediation Upgrade Webba Booking to a version above 6.4.13 once a patched release is published by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy