Impact
Unauthenticated Insecure Direct Object References were discovered in WordPress VikRentCar plugin versions up to and including 1.4.5. The flaw allows an attacker to modify request parameters that reference object identifiers, thereby accessing or modifying booking records, user information and other sensitive data that should be protected. The weakness is classified as CWE‑639, indicating insufficient input validation and handling of direct object references.
Affected Systems
The vulnerable component is the VikRentCar plugin developed by e4jvikwp for WordPress. All installations running version 1.4.5 or earlier are impacted; the plugin functions as a vehicle for rental management within the WordPress environment.
Risk and Exploitability
The CVSS score of 7.5 reflects a high potential impact. The EPSS score indicates that the probability of exploitation is low but non‑zero, and the issue is not yet listed in the CISA KEV catalog. Attackers can exploit the vulnerability through the web interface of the WordPress site without authentication, making the attack vector wide and easily possible for remote users.
OpenCVE Enrichment