CVE-2026-39525

Vulnerability

The Booking Activities WordPress plugin versions 1.16.48.1 and earlier are affected by an unauthenticated broken access control vulnerability. The issue stems from a missing authorization, authentication, or nonce token check in a function, which leaves a code path reachable by unauthenticated users without any special configuration being required [1].

Exploitation

An attacker does not need any authentication or prior access to the targeted WordPress site. By sending a crafted request to the vulnerable endpoint, the attacker can exploit the missing access control to execute actions that are normally restricted to higher-privileged users. No user interaction or specific network position beyond the ability to reach the site is required [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform privileged actions, leading to a broken access control scenario. The exact CIA outcome depends on the affected function but may include unauthorized information disclosure, data modification, or other administrative-level operations. The vulnerability is rated with a CVSS v3 score of 6.5 (Medium) [1].

Mitigation

The vulnerability has been fixed in version 1.17.0 of the Booking Activities plugin. Users are advised to update to version 1.17.0 or later immediately. If updating is not possible, users should consult their hosting provider or web developer for assistance. Patchstack has released a mitigation rule to block attacks until the update is applied, and Patchstack users can enable auto-updates for vulnerable plugins only [1].