Description
Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.
Published: 2026-06-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated users can exploit a flaw in WordPress WP BASE Booking versions 5.9.0 and earlier to elevate privileges. The vulnerability stems from insufficient authentication checks, allowing attackers to gain administrative rights within the plugin and potentially the entire WordPress site. This leads to full control over booking data, configuration, and possibly the underlying WordPress environment.

Affected Systems

The issue affects the WP BASE Booking plugin developed by Hakan Ozevin. All instances running version 5.9.0 or lower are susceptible. Upgrading to the latest release (6.0.0 or newer) removes the flaw.

Risk and Exploitability

The CVSS score of 8.1 denotes a high severity. The EPSS score is below 1%, indicating a very low likelihood of widespread exploitation at present, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to send unauthenticated HTTP requests to the plugin; because the flaw permits privilege escalation without prior authentication, a lone attacker can compromise the site once the flaw is triggered.

Generated by OpenCVE AI on June 17, 2026 at 00:41 UTC.

Remediation

Vendor Solution

Update the WordPress WP BASE Booking Plugin to the latest available version (at least 6.0.0).

OpenCVE Recommended Actions

  • Update the WordPress WP BASE Booking Plugin to version 6.0.0 or newer to eliminate the vulnerability.
  • If the plugin is not required, uninstall or disable it to remove the attack surface.
  • Restrict access to plugin administration pages by ensuring only administrators have permission to configure or modify booking settings.
  • Deploy a Web Application Firewall rule to block repeated unauthorized requests to the booking endpoints, reducing the chance of successful exploitation after patching.

Generated by OpenCVE AI on June 17, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.
Title WordPress WP BASE Booking plugin <= 5.9.0 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:33:13.234Z

Reserved: 2026-04-07T10:48:44.714Z

Link: CVE-2026-39587

cve-icon Vulnrichment

Updated: 2026-06-16T12:33:09.359Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:47.923

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:45:04Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment