CVE-2026-39652
Received Received - Intake
Missing Authorization in iGMS Direct Booking Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in igms iGMS Direct Booking igms-direct-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iGMS Direct Booking: from n/a through <= 1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39652
EUVD
EUVD-2026-20319
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
igms direct_booking to 1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WordPress iGMS Direct Booking Plugin (versions up to and including 1.3) is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unauthenticated users to perform actions that normally require higher privileges, meaning attackers can exploit the plugin to bypass security controls.

It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 5.3, indicating a low priority threat with limited impact.

Impact Analysis

This vulnerability could allow attackers to perform unauthorized actions on websites using the affected plugin, potentially compromising site functionality or data.

Although the risk is considered low and exploitation unlikely, attackers might use this flaw in mass-exploit campaigns targeting many websites indiscriminately.

Immediate mitigation involves updating the plugin; if that is not possible, users should seek help from their hosting provider or web developer.

Detection Guidance

The vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, allowing unauthenticated users to perform privileged actions.

There are no specific detection commands or network signatures provided for identifying exploitation attempts of this vulnerability.

Detection would likely involve reviewing the plugin version (up to and including 1.3) installed on your WordPress site and checking for unauthorized access or actions that should require higher privileges.

Mitigation Strategies

Immediate mitigation involves updating the affected iGMS Direct Booking plugin to a version higher than 1.3 if such an update becomes available.

Since no official patch is currently available, users are advised to seek assistance from their hosting provider or web developer to implement temporary access control measures.

Monitoring for unauthorized access and restricting access to the plugin's administrative functions can also help reduce risk.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which could potentially allow unauthorized users to perform privileged actions. Such security weaknesses can lead to unauthorized access to sensitive data or system functions.

While the provided information does not explicitly mention compliance impacts with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance by exposing personal or protected health information to unauthorized parties, potentially leading to regulatory violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart