Platform
wordpress
Component
wp-base-booking-of-appointments-services-and-events
Fixed in
6.0.0
CVE-2026-39587 represents a Privilege Escalation vulnerability affecting the WP BASE Booking of Appointments, Services and Events plugin for WordPress. An unauthenticated attacker can exploit this flaw to elevate their privileges to that of an administrator, potentially compromising the entire WordPress site. This vulnerability impacts versions of the plugin up to and including 5.9.0. A patch is available in version 6.0.0.
CVE-2026-39587 in the WP BASE Booking plugin for WordPress represents a critical privilege escalation vulnerability. Unauthenticated attackers can exploit this flaw to gain administrator access to the website. This means they could modify content, install malware, steal sensitive user data, or even take complete control of the site. The CVSS score of 9.8 indicates a severe impact and a high likelihood of exploitation. Websites using WP BASE Booking versions prior to 6.0.0 are at immediate risk and should be updated as soon as possible. The lack of authentication required to exploit the vulnerability makes it particularly dangerous, as the attacker doesn't need any account on the website.
Exploitation of this vulnerability likely involves sending specially crafted HTTP requests to the WP BASE Booking plugin. The inadequate validation of user roles allows an attacker, without being authenticated, to manipulate request parameters to be treated as an administrator. The attack can be automated using vulnerability scanning tools or custom scripts. The simplicity of the exploitation makes it accessible to attackers with varying levels of technical skill. This vulnerability is expected to be widely exploited once publicly known, making immediate updating essential.
Exploit Status
CVSS Vector
The immediate and recommended solution is to update the WP BASE Booking plugin to version 6.0.0 or higher. This version includes the fix for the privilege escalation vulnerability. Additionally, review user permissions in WordPress to ensure there are no unnecessary accounts with administrator privileges. Implementing robust password policies and enabling two-factor authentication (2FA) can help mitigate the risk of unauthorized access, even if the vulnerability isn't addressed immediately. Monitoring server logs for suspicious activity is crucial for detecting and responding to potential exploitation attempts.
Update to version 6.0.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A CVSS score of 9.8 indicates a critical severity vulnerability with a high likelihood of exploitation. It signifies a very serious potential impact.
If immediate updating isn't possible, implement additional security measures such as two-factor authentication and log monitoring.
Yes, all versions of WP BASE Booking prior to 6.0.0 are vulnerable to this privilege escalation.
In the WordPress admin dashboard, go to 'Plugins' and check the WP BASE Booking version.
Visit the official WP BASE Booking plugin page or the WordPress repository for update instructions.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.