CVE-2026-39572
Information Exposure in Bus Ticket Booking Plugin Before
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magepeopleteam | bus_ticket_booking_with_seat_reservation | to 5.6.5 (exc) |
| magepeople | bus_ticket_booking_with_seat_reservation | to 5.6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39572 is a Sensitive Data Exposure vulnerability in the WordPress Bus Ticket Booking with Seat Reservation plugin versions prior to 5.6.5.
This flaw allows unauthenticated attackers to access sensitive information that is normally restricted to regular users.
It is classified under the OWASP Top 10 category A3: Sensitive Data Exposure and has a low severity rating with a CVSS score of 4.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39572 vulnerability involves exposure of sensitive data to unauthorized users, which can potentially impact compliance with data protection standards such as GDPR and HIPAA. Sensitive Data Exposure is a critical concern under these regulations because unauthorized access to personal or protected health information can lead to violations of privacy and data security requirements.
Although the vulnerability is rated as low severity with a CVSS score of 4.3 and exploitation is considered unlikely, any unauthorized access to sensitive information may still pose compliance risks. Organizations using the affected plugin should promptly apply the patch (version 5.6.5 or later) to mitigate these risks and maintain compliance with relevant standards.
How can this vulnerability impact me? :
This vulnerability can allow attackers who are not logged in to retrieve sensitive system information that should be protected.
Although the impact is considered low and exploitation unlikely, attackers may use this vulnerability in mass-exploit campaigns targeting many websites.
Access to sensitive data could potentially enable further exploitation of the affected system.
The recommended mitigation is to update the plugin to version 5.6.5 or later to prevent unauthorized data exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects versions of the WordPress Bus Ticket Booking with Seat Reservation plugin prior to 5.6.5 and allows unauthenticated access to sensitive data. Detection involves identifying if the vulnerable plugin version is installed on your WordPress site.
To detect the vulnerability on your system, you can check the installed plugin version by running commands that query the WordPress plugins directory or by inspecting the plugin version from the WordPress admin dashboard.
- Use WP-CLI to check the plugin version: wp plugin list --status=active
- Look specifically for 'bus-ticket-booking-with-seat-reservation' and verify if its version is below 5.6.5.
- Alternatively, you can inspect the plugin's readme or main PHP file in the wp-content/plugins/bus-ticket-booking-with-seat-reservation/ directory to find the version number.
Network detection of exploitation attempts is difficult due to the nature of the vulnerability, but monitoring HTTP requests for unusual access patterns to plugin endpoints or sensitive data exposure attempts may help.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to update the Bus Ticket Booking with Seat Reservation plugin to version 5.6.5 or later.
Additionally, users of Patchstack can enable auto-updates specifically for vulnerable plugins to ensure rapid protection.