Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authentication bypass that allows an attacker to abuse alternate paths or channels within the WordPress WeDesignTech Ultimate Booking Addon plugin. By exploiting this flaw an attacker can gain unauthorized access and take control of a user account, leading to full compromise of the booking system. The weakness is identified as CWE-288, a classic authentication issue.

Affected Systems

WordPress sites running the WeDesignTech Ultimate Booking Addon plugin version 1.0.1 or earlier are affected. The vulnerability applies to all installations of this plugin up to and including 1.0.1.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity. The EPSS score is less than 1% suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely target exposed WordPress sites that have the vulnerable plugin installed, submitting crafted requests that bypass authentication. The lack of a publicly disclosed exploit means the risk is based on potential to develop a proof‑of‑concept rather than existing off‑the‑shelf payloads.

Generated by OpenCVE AI on April 15, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WeDesignTech Ultimate Booking Addon plugin to version 1.0.2 or later.
  • Deactivate or remove the plugin from the WordPress installation if an update cannot be applied immediately.
  • Monitor access logs for suspicious login attempts and block IPs that show repeated authentication malfunction patterns.

Generated by OpenCVE AI on April 15, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes wedesigntech Ultimate Booking Addon
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes wedesigntech Ultimate Booking Addon
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.
Title WordPress WeDesignTech Ultimate Booking Addon plugin <= 1.0.1 - Account Takeover vulnerability
Weaknesses CWE-288
References

Subscriptions

Designthemes Wedesigntech Ultimate Booking Addon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:15.555Z

Reserved: 2026-02-19T09:52:03.312Z

Link: CVE-2026-27389

cve-icon Vulnrichment

Updated: 2026-03-09T15:35:10.962Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:28.520

Modified: 2026-03-09T16:16:20.167

Link: CVE-2026-27389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:45:05Z

Weaknesses