A missing authorization check in the Booking and Rental Manager plugin for WooCommerce allows users to call functions that were not properly protected by access control lists. Because the plugin fails to verify the caller’s permissions when accessing certain operations, an attacker could invoke administrative features such as creating, editing, or deleting rental listings, reservations, or related data without authentication. This flaw does not lead to code execution or privilege escalation beyond the scope of the plugin’s functionality, but it compromises the confidentiality and integrity of booking data for sites using the affected version. The weakness corresponds to the vulnerability type Quantum of CWE-862, Broken Access Control.

The issue affects WordPress sites using the Booking and Rental Manager plugin version 2.3.6 or older. The plugin is developed by MagepeopleTeam, and the vulnerable functionality is available to any authenticated user in the site’s administrative interface or, depending on the call, possibly to publicly accessible endpoints without proper checks. Site owners should verify whether they are running any version up to and including 2.3.6.

The CVSS score of 5.3 represents a moderate impact, suggesting that while the vulnerability can be abused to alter or delete booking data, it generally does not expose a system-wide compromise. The EPSS score of less than 1% indicates a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog, further supporting a lower threat profile for current deployment. Nevertheless, the flaw allows unauthenticated or improperly authenticated users to reach functionalities they should not access, which can be abused if combined with social engineering or other credential compromise methods. Site administrators should treat this as a necessary patch due to the risk of data tampering or loss.