CVE-2026-39587 HIGH

CVE-2026-39587: WordPress WP BASE Booking plugin <= 5.9.0 - Privilege Escalation vulnerability

Vendor Hakan Ozevin
Product WP BASE Booking
Weakness CWE-266
Published June 15, 2026
Last update June 16, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.

Explanation of Vulnerability in Simple Terms

02Summary

WP BASE Booking versions up to 5.9.0 contain a privilege escalation vulnerability that allows unauthenticated attackers to gain high-level access to the booking system. The vulnerability requires specific network conditions to exploit but does not require user interaction. Successful exploitation grants attackers the ability to read sensitive booking data, modify reservations, and disrupt service availability.

What an attacker can do

03Attacker Capabilities

Gain unauthorized access to read, modify, or delete booking data without authentication.

Potential impact on your site

04Site Impact

Attackers can access customer booking information, alter reservations, and cause booking system downtime without needing valid credentials.

Conditions required to exploit

05Prerequisites

Network access to the site; no user authentication or interaction required, but exploitation requires specific network conditions.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 16, 2026 Record updated

Related vulnerabilities

08Related CVE