Description
Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.
Published: 2025-12-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, identified as CWE‑862 Missing Authorization, allows an attacker to change the settings of the Eagle Booking plugin within WordPress. By exploiting incorrectly configured access controls, an attacker can modify booking configurations, potentially altering pricing, availability, or other operational parameters. This change can lead to financial loss, service disruption, and a breach of user trust.

Affected Systems

The issue affects the Eagle-Themes Eagle Booking plugin on WordPress installations running any version up to and including 1.3.4.3. Any site that has installed or upgraded the plugin within this version range is at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely at this time, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is via authenticated access within the WordPress admin area or through tool‑based requests targeting the plugin’s settings endpoint. No publicly known exploits are documented, so the risk depends largely on the presence of privileged user accounts that have the capability to modify plugin configuration.

Generated by OpenCVE AI on April 29, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eagle Booking plugin to version 1.3.4.4 or later when an update becomes available.
  • Review the WordPress user roles and capabilities to ensure that only administrators can access and modify plugin settings; remove any unnecessary role permissions that allow editing of those settings.
  • If an upgrade is not immediately feasible, disable the plugin or remove it from the site until a patch is applied to prevent unauthorized configuration changes.

Generated by OpenCVE AI on April 29, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.
Title WordPress Eagle Booking plugin <= 1.3.4.3 - Settings Change vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.395Z

Reserved: 2025-12-29T11:17:52.921Z

Link: CVE-2025-68976

cve-icon Vulnrichment

Updated: 2025-12-30T21:50:46.501Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:56.140

Modified: 2026-04-27T19:16:38.577

Link: CVE-2025-68976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses