Description
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.0.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Booking and Rental Manager plugin for WooCommerce. It allows an attacker to bypass the standard access control checks defined by the plugin and perform actions intended only for privileged users. This could enable unauthorized manipulation of booking records, viewing of sensitive customer information, or other privileged operations. The flaw corresponds to CWE‑862, indicating an authorization error.

Affected Systems

This issue affects the Booking and Rental Manager plugin, developed by magepeopleteam, for all WordPress sites running the plugin through version 2.6.0. Any site using these versions is vulnerable until the plugin is updated.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk. The EPSS score below 1% suggests that exploitation is unlikely but still possible, especially in high‑value target configurations. The problem is not listed in the CISA KEV catalog, indicating there are no known large‑scale attacks at this time. The most probable attack vector is a web request to a plugin endpoint that lacks proper authorization checks; an attacker who can reach the plugin, even as a non‑administrator, may exploit the flaw.

Generated by OpenCVE AI on March 26, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking and Rental Manager plugin to the latest available version (2.6.1 or newer).
  • If updating is not immediately possible, restrict access to the plugin’s booking and rental pages so that only users with administrator privileges can reach them, using role‑based access control or a security plugin.
  • Review and re‑configure the plugin’s built-in security settings to ensure correct permissions are enforced.
  • After applying a patch or configuration change, test the plugin to verify that unauthorized actions are no longer possible.

Generated by OpenCVE AI on March 26, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress
Vendors & Products Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.0.
Title WordPress Booking and Rental Manager plugin <= 2.6.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Magepeople Booking & Rental Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T16:50:47.329Z

Reserved: 2026-01-19T16:14:52.936Z

Link: CVE-2026-23972

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:38.710Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:36.280

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-23972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:33Z

Weaknesses