How is CVE-2026-52699 exploited?

Network reachability (required): The vulnerability is exposed over the network (AV:N); an attacker must be able to send HTTP requests to the WordPress installation hosting the plugin. Authentication (not-required): No credentials or account are needed (PR:N); the attack can be carried out by any unauthenticated party. Victim interaction (not-required): No action from any user or administrator is required to trigger the vulnerability (UI:N). Attack complexity (info): Attack complexity is low (AC:L); exploitation is reliable and requires no special conditions, race windows, or environmental prerequisites.

What is the impact of CVE-2026-52699?

An attacker reads object records managed by the VikRentCar plugin, such as vehicle rental bookings, reservation details, or associated customer data, by manipulating object reference identifiers in requests. Confidentiality impact is rated High (C:H), meaning the full scope of data accessible through the vulnerable reference mechanism can be read by an unauthenticated party. Integrity and availability are not affected (I:N, A:N); the attacker cannot modify records or disrupt service through this specific flaw.

Back to search

HIGHCVE-2026-52699Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-52699: WordPress VikRentCar plugin <= 1.4.5 - Insecure Direct Object References (IDOR) vulnerability

Q: What is CVE-2026-52699?

An Insecure Direct Object Reference (IDOR) vulnerability exists in the WordPress VikRentCar plugin at version 1.4.5 and below. The flaw is reachable over the network without any authentication, meaning any anonymous HTTP request can reference internal object identifiers to access data that should be restricted. Successful exploitation allows an attacker to read confidential data served by the plugin, such as rental records or customer information. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-52699 patched?

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability exists in the WordPress VikRentCar plugin at version 1.4.5 and below. The flaw is reachable over the network without any authentication, meaning any anonymous HTTP request can reference internal object identifiers to access data that should be restricted. Successful exploitation allows an attacker to read confidential data served by the plugin, such as rental records or customer information. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-52699 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Patchstack advisory feed within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the VikRentCar plugin. Any image carrying VikRentCar at version 1.4.5 or below is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.5 (HIGH), and HarborGuard applies each customer organization's compliance policy weighting to determine urgency and route the finding to the appropriate team inbox. Per-environment context, such as whether the affected image is exposed on a public-facing workload, is surfaced alongside the scored finding to help prioritize response.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is exposed over the network (AV:N); an attacker must be able to send HTTP requests to the WordPress installation hosting the plugin.
AuthenticationNot required
No credentials or account are needed (PR:N); the attack can be carried out by any unauthenticated party.
Victim interactionNot required
No action from any user or administrator is required to trigger the vulnerability (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L); exploitation is reliable and requires no special conditions, race windows, or environmental prerequisites.

Blast Radius

An attacker reads object records managed by the VikRentCar plugin, such as vehicle rental bookings, reservation details, or associated customer data, by manipulating object reference identifiers in requests.
Confidentiality impact is rated High (C:H), meaning the full scope of data accessible through the vulnerable reference mechanism can be read by an unauthenticated party.
Integrity and availability are not affected (I:N, A:N); the attacker cannot modify records or disrupt service through this specific flaw.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-52699 as of publication, the platform monitors the Patchstack advisory and the VikRentCar release feed on every ingest cycle. The moment e4jvikwp publishes a remediated version, a patched-image rebuild becomes available and, for customers who opt into auto-remediation, the rebuild is triggered immediately followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts unauthenticated external access to WordPress installations carrying this plugin, egress filtering to limit lateral data exposure if the plugin makes outbound calls, and temporarily disabling the plugin via a feature flag or WordPress plugin management if rental-car functionality is not actively in use. Any image containing VikRentCar at or below 1.4.5 remains flagged in HarborGuard until a patched rebuild is confirmed.

See how HarborGuard automates this

Affected packages

e4jvikwp / VikRentCar
≤ 1.4.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified