{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27388", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:52:03.312Z", "datePublished": "2026-03-05T05:53:59.120Z", "dateUpdated": "2026-04-28T16:15:03.136Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "designthemes-booking-manager", "product": "DesignThemes Booking Manager", "vendor": "designthemes", "versions": [{"lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:19.824Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects DesignThemes Booking Manager: from n/a through <= 2.0.</p>"}], "value": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.136Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-booking-manager/vulnerability/wordpress-designthemes-booking-manager-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress DesignThemes Booking Manager plugin <= 2.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T12:35:32.527099Z", "id": "CVE-2026-27388", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:06:53.162Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27388", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:52:03.312Z", "datePublished": "2026-03-05T05:53:59.120Z", "dateUpdated": "2026-04-28T16:06:53.162Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "designthemes-booking-manager", "product": "DesignThemes Booking Manager", "vendor": "designthemes", "versions": [{"lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:27:17.482Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects DesignThemes Booking Manager: from n/a through <= 2.0.</p>"}], "value": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:52.216Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-booking-manager/vulnerability/wordpress-designthemes-booking-manager-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress DesignThemes Booking Manager plugin <= 2.0 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T12:35:32.527099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T12:29:27.644Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en designthemes DesignThemes Booking Manager designthemes-booking-manager permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a DesignThemes Booking Manager: desde n/a hasta &lt;= 2.0."}], "id": "CVE-2026-27388", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:28.287", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-booking-manager/vulnerability/wordpress-designthemes-booking-manager-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DesignThemes Booking Manager", "source": "cna", "vendor": "designthemes"}, "product": "designthemes_booking_manager", "vendor": "designthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:09:14.994623+00:00", "value": {"mitigation_remediation": ["Verify whether the plugin vendor has released an official update that addresses the access control flaw and apply it to the site.", "Limit access to the plugin\u2019s administrative functions to users with the administrator role or a trusted, custom user role that requires it.", "If the plugin is not essential to the site\u2019s functionality, consider deactivating or uninstalling it to remove the vulnerable code path."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access with the potential for privilege escalation"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the DesignThemes Booking Manager plugin version 2.0 or earlier are affected. The plugin is available for the standard WordPress environment and is distributed under the designthemes:DesignThemes Booking Manager CNA reference. No additional product versions are listed as impacted beyond the 2.0 or earlier threshold.", "description_and_impact": "The vulnerability in the DesignThemes Booking Manager WordPress plugin arises from a missing authorization check that permits users to bypass intended access controls. This broken access control flaw could enable an attacker, once authenticated or even unauthenticated, to perform privileged actions such as creating, modifying, or deleting bookings, accessing sensitive booking data, or altering administrative settings. The weakness is categorized under CWE-862, highlighting a failure to properly enforce authorization safeguards.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the issue as high severity, indicating significant potential impact. The EPSS score of less than 1% suggests that, at present, the probability of exploitation is low, and the vulnerability is not reported in the CISA KEV catalog. The most likely attack vector is a web-based interaction within a WordPress site where the plugin\u2019s functionality is exposed, though the description does not detail prerequisites such as user roles, making the exploitable conditions uncertain. Given the lack of disclosed proof\u2011of\u2011concept exploits, the risk remains theoretical but notable for sites that rely on the plugin for booking management."}}}}, "created": "2026-03-06T15:12:07.925262+00:00", "updated": "2026-04-16T05:15:25.472928+00:00", "vendors": ["designthemes", "designthemes$PRODUCT$designthemes_booking_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}