VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-52699

CVE-2026-52699

Description

Unauthenticated IDOR in VikRentCar <=1.4.5 allows attackers to bypass authorization and access sensitive data or interact with the database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated IDOR in VikRentCar <=1.4.5 allows attackers to bypass authorization and access sensitive data or interact with the database.

Vulnerability

VikRentCar plugin for WordPress versions 1.4.5 and earlier contain an Insecure Direct Object Reference (IDOR) vulnerability [1]. The vulnerability is unauthenticated, meaning no authentication is required to exploit it. The plugin fails to properly validate user access to direct object references, allowing unauthorized access.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to manipulate object references (e.g., IDs) without authorization checks [1]. No prior authentication or user interaction is required.

Impact

Successful exploitation could allow an attacker to bypass authorization and access sensitive files/folders or interact with the database, potentially leading to information disclosure or data manipulation [1]. The vulnerability could be used in mass-exploit campaigns against thousands of websites.

Mitigation

The vulnerability is fixed in version 1.4.6 [1]. Users should update to version 1.4.6 or later immediately. As an interim measure, Patchstack provides a mitigation rule to block attacks until the update is applied [1].

References
  1. Insecure Direct Object References (IDOR) in WordPress VikRentCar Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.