CVE-2026-27405
Description
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WpBookingly: from n/a through 1.2.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WpBookingly plugin for WordPress allows unauthenticated access to higher-privileged actions, fixed in version 1.3.0.
Vulnerability
The WpBookingly plugin for WordPress by Magepeople inc. contains a missing authorization vulnerability in versions from n/a through 1.2.9. The plugin fails to properly validate access control security levels, allowing exploitation of incorrectly configured access controls. [1]
Exploitation
An attacker with network access to the WordPress site can exploit this vulnerability without authentication or user interaction. By sending direct requests to unprotected endpoints, the attacker can access functions that should be restricted to higher-privileged users. [1]
Impact
Successful exploitation allows an unprivileged attacker to perform actions intended for higher-privileged users, such as modifying data or settings. While the impact is considered low severity, the vulnerability may be used in mass-exploit campaigns targeting thousands of websites. [1]
Mitigation
The vulnerability is fixed in version 1.3.0. Users should update to 1.3.0 or later immediately. Patchstack users can enable auto-update for vulnerable plugins. No workaround is available besides updating. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.2.9
- Range: <=1.2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.