Wpbookingly
Monthly
Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.
Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Missing authorization checks in the WpBookingly WordPress plugin (versions through 1.2.9) allow authenticated low-privilege users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack and tracked as EUVD-2026-31964, this broken access control flaw (CWE-862) does not require elevated privileges or user interaction, but exploitation is constrained to authenticated sessions. No public exploit code exists and EPSS stands at 0.03% (8th percentile), with SSVC classifying exploitation status as none - making this a low-urgency but legitimate remediation target for WordPress environments with untrusted authenticated users.
Broken access control in the WpBookingly WordPress plugin (Magepeople Inc.) through version 1.2.9 enables network-authenticated high-privilege users to perform unauthorized integrity and availability-impacting actions against the booking management system. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce proper authorization checks on one or more endpoints, allowing exploitation of incorrectly configured access control levels. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.