Description
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.2.1.
Published: 2025-01-31
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels in the Booking and Rental Manager plugin for WordPress. An attacker can perform actions intended for higher-privilege users, potentially changing booking data, viewing sensitive information, or manipulating rental configurations. The weakness is a classic Missing Authorization failure (CWE‑862).

Affected Systems

The flaw affects the magepeopleteam Booking and Rental Manager plugin for WooCommerce, specifically all installations using version 2.2.1 or earlier; earlier versions are also potentially impacted. Operators running the plugin on WordPress sites are the directly affected systems.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of active exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is via the web application, where an unauthenticated or low‑privilege user can reach a management endpoint that does not properly enforce access controls. Exploitation would require gaining unauthorized access to privileged actions such as editing or deleting bookings.

Generated by OpenCVE AI on May 1, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update released by magepeopleteam that addresses the missing authorization bug.
  • Re‑evaluate the plugin’s role and capability assignments to ensure that only intended user roles have management privileges.
  • If an update is not immediately available, consider temporarily disabling or uninstalling the plugin to prevent potential misuse until a patch can be applied.

Generated by OpenCVE AI on May 1, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2941 Missing Authorization vulnerability in MagePeople Team Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in MagePeople Team Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.1. Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.2.1.
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.00058}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in MagePeople Team Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.1.
Title WordPress WpRently | WordPress plugin plugin <= 2.2.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:05.554Z

Reserved: 2025-01-07T21:03:44.259Z

Link: CVE-2025-22720

cve-icon Vulnrichment

Updated: 2025-01-31T19:30:53.340Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:07.770

Modified: 2026-06-17T08:49:32.363

Link: CVE-2025-22720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses