CVE-2026-39652

Vulnerability

Overview The iGMS Direct Booking plugin for WordPress (versions up to and including 1.3) suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, leading to a broken access control condition [1]. This means that the plugin does not verify whether a user has the necessary privileges before allowing execution of higher-privileged actions.

Exploitation

Details Attackers can exploit this vulnerability without requiring any authentication, as the missing authorization check allows unauthenticated requests to trigger privileged operations. The vulnerability is particularly dangerous because it is being used in mass-exploit campaigns, targeting thousands of websites regardless of their size or traffic [1]. The attack surface is broad, as any site running the vulnerable plugin version is potentially exposed.

Impact

Successful exploitation enables an unprivileged attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could lead to unauthorized data access, modification of settings, or other malicious activities depending on the specific vulnerable function. The CVSS score of 5.3 (Medium) reflects the potential for significant impact without requiring complex attack conditions.

Mitigation

Users are strongly advised to update the iGMS Direct Booking plugin to a version newer than 1.3, as the vulnerability has been patched. If immediate updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1]. Given the active exploitation in mass campaigns, prompt action is critical.