CVE-2026-39587: WordPress WP BASE Booking plugin <= 5.9.0 - Privilege Escalation vulnerability
Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated privilege escalation vulnerability affects the WP BASE Booking plugin for WordPress, versions 5.9.0 and below. The flaw is reachable over the network without any credentials, though exploitation requires meeting specific environmental conditions reflected in the high attack complexity rating. Successful exploitation allows an attacker to gain elevated privileges within WordPress, enabling full read, write, and availability impact on the affected installation. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage includes custom-built images that bundle the WP BASE Booking plugin.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
- AuthenticationNot required
No account or session credentials are needed; the attack path is fully unauthenticated.
- Victim interactionNot required
The exploit does not require any action from an administrator or other user on the target site.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must satisfy specific environmental conditions, such as particular server-side state or timing requirements, before the privilege escalation succeeds reliably.
Blast Radius
- Attacker gains elevated WordPress privileges, up to and including administrator-level access.
- With elevated access, the attacker can read all stored site data including user credentials, personal information, and booking records.
- The attacker can modify or delete site content, plugin configurations, and persisted database rows.
- The attacker can disrupt availability of the WordPress service by removing core configuration or installing malicious code that destabilizes the application.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-39587 as of the publication date, the immediate focus is detection and compensating controls. HarborGuard continuously re-ingests the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically once WP BASE Booking ships a remediated release. In the interim, customers can use HarborGuard's network-policy suggestions to restrict inbound access to the WordPress installation to known IP ranges, apply egress filtering to limit lateral movement if the plugin endpoint is compromised, and consider disabling the plugin via feature-flag or configuration gating in environments where booking functionality is non-critical. For customers with auto-remediation enabled, once a fix version is published, HarborGuard will trigger a rebuild, run a regression test suite, and open a pull request against affected workloads without requiring manual intervention.
- Hakan Ozevin / WP BASE Booking≤ 5.9.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H