CVE-2026-23972
Missing Authorization in Booking and Rental Manager
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magepeopleteam | booking_and_rental_manager | to 2.6.0 (inc) |
| magepeople | booking_and_rental_manager | From 2.0.0 (inc) to 2.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-23972 vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher privilege levels due to missing authorization checks.
Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.
Therefore, if exploited, this vulnerability could result in violations of these regulations by failing to adequately protect user data and enforce proper access restrictions.
Can you explain this vulnerability to me?
CVE-2026-23972 is a Missing Authorization vulnerability in the Booking and Rental Manager Plugin for WordPress (versions up to 2.6.0). It is a Broken Access Control issue where certain plugin functions lack proper authorization, authentication, or nonce token checks.
This flaw allows unprivileged users, such as those with only subscriber-level access, to perform actions that should be restricted to higher privilege levels.
The vulnerability is classified as medium priority with a CVSS score of 6.5 and falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level access to perform unauthorized privileged actions within the Booking and Rental Manager Plugin.
Such unauthorized actions could lead to manipulation of booking or rental data, unauthorized changes to configurations, or other administrative functions that should be protected.
Because the vulnerability can be exploited by unprivileged users, it poses a significant security risk and can be targeted in mass campaigns affecting many websites.
Immediate updating to version 2.6.1 or later is strongly recommended to mitigate these risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, allowing unprivileged users to perform privileged actions. Detection involves monitoring for unauthorized access attempts or unusual activity targeting the Booking and Rental Manager Plugin functions.
While specific commands are not provided, users can look for suspicious HTTP requests to the plugin endpoints that perform privileged actions without proper authentication. Network monitoring tools or web application firewalls can be configured to detect such anomalous requests.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the Booking and Rental Manager Plugin to version 2.6.1 or later, where the broken access control vulnerability is patched.
Until the update can be applied, users of Patchstack can enable an automatic mitigation rule provided by Patchstack to block attacks targeting this vulnerability.
Additionally, enabling auto-updates specifically for vulnerable plugins can help ensure ongoing protection.