Description
Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Incorrect privilege assignment in the Booking Activities plugin allows an attacker with sufficient access to obtain higher privileges. The flaw resides in the way the plugin assigns or updates user roles, enabling privilege escalation when certain actions are performed. An attacker can potentially gain administrator privileges in the WordPress site, compromising confidentiality, integrity, and availability of the content and database.

Affected Systems

The vulnerability affects the WordPress Booking Activities plugin from version 1.16.44 and earlier, developed by the Booking Activities Team. Any installation of this plugin running those versions is susceptible.

Risk and Exploitability

The CVSS base score is 8.1, indicating a high severity level. The EPSS score of less than 1% suggests a very low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves leveraging the plugin’s web interface within WordPress; the victim must be able to interact with the plugin’s role assignment functionality, which is typically available to users with at least Contributor level access.

Generated by OpenCVE AI on April 27, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Activities plugin to version 1.16.45 or newer once a patch is released.
  • If an upgrade is not immediately possible, disable the plugin or restrict its functionality for all users except trusted administrators.
  • Implement an additional role‑based access control review and audit to ensure no unintended privilege escalation is possible.
  • If the plugin is not required for business operations, remove it entirely from the WordPress installation.

Generated by OpenCVE AI on April 27, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.
Title WordPress Booking Activities plugin <= 1.16.44 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:28:38.155Z

Reserved: 2025-12-15T10:00:16.552Z

Link: CVE-2025-67953

cve-icon Vulnrichment

Updated: 2026-01-29T18:40:23.701Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:04.777

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses