CVE-2026-39678
Description
Missing Authorization vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.6.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Pinpoint Booking System plugin (≤2.9.9.6.5) allows attackers to exploit broken access control for unauthorized actions.
Vulnerability
Overview CVE-2026-39678 is a missing authorization vulnerability in the Pinpoint Booking System plugin for WordPress. The plugin fails to properly enforce access control checks, allowing attackers to exploit incorrectly configured security levels. This affects all versions up to and including 2.9.9.6.5 [1].
Exploitation
An attacker can exploit this vulnerability without needing high-level privileges, as the broken access control permits unprivileged users to execute actions that should require higher permissions. The attack vector is likely through direct manipulation of HTTP requests or by accessing functions that lack proper authorization checks [1].
Impact
Successful exploitation can lead to unauthorized modifications to the booking system, such as creating, editing, or deleting bookings, or accessing sensitive configuration data. This may disrupt the service or expose customer information [1].
Mitigation
The vulnerability has been patched in version 2.9.9.6.6 or later. Users are strongly advised to update the plugin immediately. If updating is not possible, consider implementing additional access controls or contacting your hosting provider for assistance [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.9.9.6.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.