{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23972", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-19T16:14:52.936Z", "datePublished": "2026-03-25T16:14:30.153Z", "dateUpdated": "2026-03-26T16:50:47.329Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booking-and-rental-manager-for-woocommerce", "product": "Booking and Rental Manager", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "2.6.1", "status": "unaffected"}], "lessThanOrEqual": "<= 2.6.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:11.623Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Booking and Rental Manager: from n/a through <= 2.6.0.</p>"}], "value": "Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:30.153Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-6-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Booking and Rental Manager plugin <= 2.6.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:45:17.279132Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:47.329Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:45:17.279132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:38.710Z"}}], "cna": {"title": "WordPress Booking and Rental Manager plugin <= 2.6.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "magepeopleteam", "product": "Booking and Rental Manager", "versions": [{"status": "affected", "changes": [{"at": "2.6.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.6.0"}], "packageName": "booking-and-rental-manager-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:11.623Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-6-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Booking and Rental Manager: from n/a through <= 2.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:30.153Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23972", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:40:32.780Z", "dateReserved": "2026-01-19T16:14:52.936Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:30.153Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.0."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Booking and Rental Manager: desde n/a hasta &lt;= 2.6.0."}], "id": "CVE-2026-23972", "lastModified": "2026-03-26T17:16:28.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.280", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-6-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.6.1,*]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Booking and Rental Manager", "source": "cna", "vendor": "magepeopleteam"}, "product": "booking_&_rental_manager", "vendor": "magepeople"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:46:35.086588+00:00", "value": {"mitigation_remediation": ["Update the Booking and Rental Manager plugin to a version newer than 2.6.0", "Review that the new release contains proper authorization checks on all booking-related endpoints", "Audit user roles and capabilities to ensure least-privilege access", "If an immediate update is not possible, disable the vulnerable plugin or restrict its accessibility to trusted administrators", "Monitor site logs for any abnormal booking activity or unexpected user actions"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the magepeopleteam Booking and Rental Manager WordPress plugin for WooCommerce, versions from the earliest available through 2.6.0. Users running any release up to and including 2.6.0 are at risk; later releases are assumed to contain the fix.", "description_and_impact": "This vulnerability arises from missing authorization checks within the Booking and Rental Manager plugin, allowing users who normally lack permission to perform sensitive actions such as creating, editing, or deleting bookings. The flaw can enable an attacker to access or alter customer booking data, potentially exposing confidential information or disrupting reservation workflows. The issue is identified as CWE\u2011862 \u2013 Missing Authorization, which directly ties the risk to improper access controls.", "risk_and_exploitability": "The public scoring data does not list a CVSS or EPSS value, and the vulnerability is not cataloged as a known exploited vulnerability. Inference from the nature of the flaw suggests the attack vector is remote via the web interface of a WordPress site. Exploitation would require the attacker to access the site with an account that can trigger the vulnerable endpoint, but the missing authorization check means they need not possess elevated privileges. Given the lack of documented exploits, the risk can be considered moderate to high for sites running the affected plugin, but the opportunity for compromise exists unless mitigated."}}}}, "created": "2026-03-25T21:34:57.541512+00:00", "updated": "2026-03-26T11:40:11.338809+00:00", "vendors": ["magepeople", "magepeople$PRODUCT$booking_&_rental_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}