VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-40774

CVE-2026-40774

Description

Unauthenticated broken access control in Booking Package <=1.7.06 allows unprivileged attackers to perform higher-privileged actions via missing authorization checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated broken access control in Booking Package <=1.7.06 allows unprivileged attackers to perform higher-privileged actions via missing authorization checks.

Vulnerability

The Booking Package plugin for WordPress versions 1.7.06 and earlier suffer from an unauthenticated broken access control vulnerability. This means the plugin fails to properly enforce authorization, authentication, or nonce token checks in certain functions, allowing requests without proper credentials to reach privileged actions [1].

Exploitation

An attacker needs only network access to a site running the vulnerable plugin. No authentication or user interaction is required. The attacker can directly send crafted HTTP requests to the vulnerable endpoints, exploiting the missing access control to execute functions normally restricted to higher-privileged users [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions that should require higher privileges. This could lead to unauthorized modification of settings, data exposure, or other unintended operations depending on the affected functionality. The CVSS v3 base score is 7.5 (High), indicating serious potential for impact on confidentiality, integrity, or availability [1].

Mitigation

The vulnerability is fixed in version 1.7.07 of the Booking Package plugin. Users should update to this version or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround other than updating is provided in the references [1].

References
  1. Broken Access Control in WordPress Booking Package Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.