Description
Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that permits attackers to bypass the intended access control policies of the Bus Ticket Booking with Seat Reservation plugin. By exploiting incorrectly configured security levels, an attacker can perform actions reserved for privileged users, such as modifying seat allocations and booking details, potentially disrupting event management and revenue. The weakness maps to CWE‑862, indicating a failure to enforce proper authorization checks.

Affected Systems

Any WordPress site running the Bus Ticket Booking with Seat Reservation plugin prior to version 5.6.8, as provided by Magepeople Inc., is affected. Vendors and site administrators using earlier plugin releases should review their deployments.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium severity band, illustrating that while the flaw does not grant remote code execution, it can significantly compromise data integrity and availability. The EPSS score is not available, so the exact likelihood of exploitation is unknown, but the lack of listing in CISA KEV suggests no documented active exploitation. The most likely attack vector is through the web application interface, where an attacker equipped with an account of insufficient privilege can access protected administration pages by manipulating URLs or form inputs.

Generated by OpenCVE AI on May 7, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update the WordPress Bus Ticket Booking with Seat Reservation Plugin to the latest available version (at least 5.6.8).

OpenCVE Recommended Actions

  • Upgrade the Bus Ticket Booking with Seat Reservation plugin to version 5.6.8 or later.
  • After upgrading, verify that only users with proper administrative capabilities can access or modify seat booking data.
  • If upgrading is not possible, enforce stricter role‑based access controls for the plugin’s admin pages or disable the plugin entirely.

Generated by OpenCVE AI on May 7, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8.
Title WordPress Bus Ticket Booking with Seat Reservation plugin < 5.6.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-07T13:04:06.180Z

Reserved: 2025-11-21T11:21:20.344Z

Link: CVE-2025-66105

cve-icon Vulnrichment

Updated: 2026-05-07T13:04:02.349Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T09:16:26.497

Modified: 2026-05-07T14:00:48.567

Link: CVE-2025-66105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T09:30:06Z

Weaknesses