CVE-2026-39675

Vulnerability

Overview

The Court Reservation plugin for WordPress, versions up to and including 1.10.11, contains a missing authorization checks in certain functions. This broken access control vulnerability allows an attacker to exploit incorrectly configured access control security levels [1].

Exploitation

The vulnerability can be exploited without authentication, as the plugin fails to properly verify user permissions or nonce tokens before executing privileged actions. This makes it possible for unauthenticated attackers to perform actions that should require higher-level privileges [1].

Impact

Successful exploitation could allow an attacker to modify court reservations, access sensitive data, or perform other unauthorized operations within the WordPress site. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has not released a patched version beyond 1.10.11 at the time of publication. Users are strongly advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider or web developer for assistance. As a temporary measure, disabling the plugin may reduce risk [1].