CVE-2026-40774: WordPress Booking Package plugin <= 1.7.06 - Broken Access Control vulnerability

Synopsis

Broken access control in the WordPress Booking Package plugin (versions up to and including 1.7.06) allows an unauthenticated remote attacker to perform unauthorized write operations. The vulnerability is reachable over the network with no credentials required and no victim interaction needed, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker the ability to tamper with booking data or plugin-managed content, with no patch currently available from the vendor. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix is published.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed to any remote caller.

• AuthenticationNot required

  No account or session credentials of any kind are needed to trigger the broken access control flaw.

• Victim interactionNot required

  The attack is fully server-side and requires no action from any user or administrator of the affected site.

• Attack complexityDetail

  Exploit conditions are straightforward and reliable, with no race conditions or environmental prerequisites required.

Blast Radius

• An attacker can make unauthorized writes to booking records or plugin-controlled data, bypassing the access checks that would normally enforce user privilege boundaries.
• Booking entries, availability settings, or other plugin-managed content can be created, modified, or deleted without any legitimate account.
• Depending on how the plugin integrates with the broader WordPress installation, tampered booking data may affect downstream business processes such as scheduling, notifications, or payment workflows.