WordPress Plugin Vulnerabilities

Booking and Rental Manager < 2.3.7 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
booking-and-rental-manager-for-woocommerce
Fixed in 2.3.7

References

CVE
CVE-2025-39390
URL
https://patchstack.com/database/wordpress/plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-3-6-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
56157322-4d8d-42fa-88ef-4179fac96052

Timeline

Publicly Published
2025-04-18 (about 10 months ago)
Added
2025-04-21 (about 10 months ago)
Last Updated
2025-05-09 (about 10 months ago)

Other

Published
Title
Published
2026-01-22
Title
ElementCamp < 2.3.6 - Missing Authorization
Published
2025-10-16
Title
Acknowledgify < 1.1.4 - Missing Authorization
Published
2024-07-22
Title
Custom Query Blocks < 5.3.0 - Missing Authorization via REST Routes
Published
2024-08-20
Title
Event Espresso 4 Decaf – Event Registration Event Ticketing < 5.0.22.decafdecaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification
Published
2026-01-05
Title
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.6.2 - Missing Authorization to Authenticated (Subscriber+) Information Exposure