Impact
An unauthenticated broken access control flaw exists in the WordPress Booking Package plugin versions 1.7.06 and earlier. The vulnerability allows an attacker to invoke protected plugin functionality without authenticating, creating a risk of unauthorized use of booking features. This weakness is identified as CWE-862, reflecting improperly controlled authorization.
Affected Systems
The flaw affects all WordPress sites that install the SaasProject Booking Package plugin version 1.7.06 or older. Any site that has not been updated to at least version 1.7.07 is at risk.
Risk and Exploitability
The CVSS score of 7.5 categorizes this issue as high severity. The EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA KEV. The attack vector is likely via unauthenticated HTTP requests directed at the plugin’s endpoints, which are accessible from any remote host that can reach the WordPress site.
OpenCVE Enrichment