CVE-2026-27405
Deferred Deferred - Pending Action
Missing Authorization in WpBookingly Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Patchstack

Description
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27405
EUVD
EUVD-2026-31097
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
magepeople wpbookingly From 1.0.0 (inc) to 1.2.9 (inc)
magepeople wpbookingly 1.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the WpBookingly plugin allows unprivileged users to perform higher-privileged actions due to missing authorization checks, which constitutes broken access control.

Such broken access control issues can lead to unauthorized access or modification of sensitive data, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strict access controls to protect personal and health information.

Therefore, if exploited, this vulnerability could result in violations of these regulations by exposing or altering protected data without proper authorization.

Executive Summary

The WordPress WpBookingly Plugin, specifically versions 1.2.9 and below, has a Broken Access Control vulnerability (CVE-2026-27405). This vulnerability is caused by missing authorization, authentication, or nonce token checks, which allows unprivileged users to perform actions that should require higher privileges.

It is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS score of 6.5, indicating a moderate severity level.

Impact Analysis

This vulnerability allows attackers with low privileges to perform higher-privileged actions within the WpBookingly plugin. This could lead to unauthorized changes or disruptions in the service booking management on affected WordPress sites.

Although considered a low priority, it could be exploited in mass campaigns targeting thousands of websites, potentially causing widespread unauthorized access or service disruption.

Immediate action to update the plugin to version 1.3.0 or later is recommended to mitigate this risk.

Detection Guidance

This vulnerability affects the WordPress WpBookingly Plugin versions 1.2.9 and below, where unprivileged users can perform higher-privileged actions due to missing authorization checks.

To detect if your system is vulnerable, first verify the installed version of the WpBookingly plugin.

  • Check the plugin version via WordPress admin dashboard under Plugins.
  • Alternatively, use WP-CLI command: wp plugin list | grep wpbookingly
  • Look for suspicious or unauthorized actions in your WordPress logs that indicate privilege escalation attempts.
Mitigation Strategies

The immediate recommended action is to update the WpBookingly plugin to version 1.3.0 or later, where this vulnerability is patched.

If updating immediately is not possible, consider disabling the plugin temporarily to prevent exploitation.

Enable auto-updates for the plugin if you are using Patchstack or similar management tools to ensure timely patching.

Monitor your system for any suspicious activity related to privilege escalation attempts until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart