{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69327", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:18.800Z", "datePublished": "2026-01-06T16:36:37.973Z", "dateUpdated": "2026-04-28T16:14:37.636Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "car-rental-manager", "product": "Car Rental Manager", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "1.2.0", "status": "unaffected"}], "lessThanOrEqual": "1.0.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:15.413Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Car Rental Manager: from n/a through <= 1.0.9.</p>"}], "value": "Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.636Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Car Rental Manager plugin <= 1.0.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T16:52:02.475734Z", "id": "CVE-2025-69327", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:51:04.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69327", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T16:52:02.475734Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T16:51:59.110Z"}}], "cna": {"title": "WordPress Car Rental Manager plugin <= 1.0.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "magepeopleteam", "product": "Car Rental Manager", "versions": [{"status": "affected", "changes": [{"at": "1.2.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.9"}], "packageName": "car-rental-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:15.413Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Car Rental Manager: from n/a through <= 1.0.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:00.525Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69327", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:51:04.704Z", "dateReserved": "2025-12-31T20:12:18.800Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:37.973Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9."}], "id": "CVE-2025-69327", "lastModified": "2026-04-27T21:16:24.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:45.813", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:24:02.855959+00:00", "value": {"mitigation_remediation": ["Upgrade the Car Rental Manager plugin to a version newer than 1.0.9 (the latest available release).", "If an upgrade cannot be performed immediately, restrict the plugin\u2019s activation or administrative capabilities to only highly privileged users, or disable the plugin on non\u2011critical sites to reduce exposure.", "Monitor authentication logs for unexpected administrator logins or unauthorized access attempts and consider applying additional role\u2011based access controls or firewall rules to block suspicious traffic."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress Car Rental Manager plugin, released by MagePeopleTeam, in all versions from the initial release up through 1.0.9. Any WordPress site with an installation of the plugin at or below version 1.0.9 is vulnerable.", "description_and_impact": "The Car Rental Manager plugin contains a missing authorization flaw that allows requests bypassing the normal WordPress permission checks. This defect can let attackers reach privileged administrative actions or read sensitive booking data without the required capabilities. The weakness is formally identified as improper authorization (CWE-862) and can compromise the confidentiality and integrity of the rental management system.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score is below 1%, which suggests the likelihood of exploitation at this time is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to target a WordPress site that has the vulnerable plugin installed; successful exploitation would likely grant unauthorized access to administrative functions or sensitive rental data rather than full remote code execution."}}}}, "created": "2026-01-07T10:09:02.210712+00:00", "updated": "2026-04-28T18:30:37.338090+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}