CVE-2026-27405
Missing Authorization in WpBookingly Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magepeople | wpbookingly | From 1.0.0 (inc) to 1.2.9 (inc) |
| magepeople | wpbookingly | 1.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the WpBookingly plugin allows unprivileged users to perform higher-privileged actions due to missing authorization checks, which constitutes broken access control.
Such broken access control issues can lead to unauthorized access or modification of sensitive data, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strict access controls to protect personal and health information.
Therefore, if exploited, this vulnerability could result in violations of these regulations by exposing or altering protected data without proper authorization.
Can you explain this vulnerability to me?
The WordPress WpBookingly Plugin, specifically versions 1.2.9 and below, has a Broken Access Control vulnerability (CVE-2026-27405). This vulnerability is caused by missing authorization, authentication, or nonce token checks, which allows unprivileged users to perform actions that should require higher privileges.
It is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS score of 6.5, indicating a moderate severity level.
How can this vulnerability impact me? :
This vulnerability allows attackers with low privileges to perform higher-privileged actions within the WpBookingly plugin. This could lead to unauthorized changes or disruptions in the service booking management on affected WordPress sites.
Although considered a low priority, it could be exploited in mass campaigns targeting thousands of websites, potentially causing widespread unauthorized access or service disruption.
Immediate action to update the plugin to version 1.3.0 or later is recommended to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress WpBookingly Plugin versions 1.2.9 and below, where unprivileged users can perform higher-privileged actions due to missing authorization checks.
To detect if your system is vulnerable, first verify the installed version of the WpBookingly plugin.
- Check the plugin version via WordPress admin dashboard under Plugins.
- Alternatively, use WP-CLI command: wp plugin list | grep wpbookingly
- Look for suspicious or unauthorized actions in your WordPress logs that indicate privilege escalation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended action is to update the WpBookingly plugin to version 1.3.0 or later, where this vulnerability is patched.
If updating immediately is not possible, consider disabling the plugin temporarily to prevent exploitation.
Enable auto-updates for the plugin if you are using Patchstack or similar management tools to ensure timely patching.
Monitor your system for any suspicious activity related to privilege escalation attempts until the patch is applied.