PatchSiren cyber security CVE debrief
CVE-2026-27405 Magepeople inc. CVE debrief
CVE-2026-27405 is a missing authorization / broken access control issue in the WpBookingly WordPress plugin, affecting versions through 1.2.9. The CVE was published on 2026-05-20 and carries a CVSS 3.1 score of 6.5 (Medium). Based on the provided CVSS vector, exploitation requires elevated privileges, but successful abuse can impact both integrity and availability. This is not listed as a known CISA KEV issue in the supplied data.
- Vendor
- Magepeople inc.
- Product
- WpBookingly
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site owners running WpBookingly, administrators responsible for plugin access controls, and security teams that review privilege boundaries in customer-facing booking or management plugins.
Technical summary
The supplied CVE description identifies a missing authorization weakness in Magepeople inc. WpBookingly, described as exploiting incorrectly configured access control security levels. NVD maps the weakness to CWE-862 and reports the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, indicating network reachability, low attack complexity, no user interaction, and high privileges required. The affected range is listed as from n/a through 1.2.9. NVD also marks the vulnerability status as Deferred in the provided record.
Defensive priority
Medium. Prioritize if the plugin is installed and any privileged roles or admin-facing workflows are exposed. Because the issue is authorization-related, validating server-side permission checks should be a high-confidence remediation step even if no active exploitation is known.
Recommended defensive actions
- Inventory all WordPress installations that use WpBookingly and confirm the installed version.
- Upgrade or replace WpBookingly if an unaffected release is available from the vendor or trusted maintainer.
- Review all admin, AJAX, REST, and action-handler endpoints for server-side authorization checks; do not rely on UI-only restrictions.
- Restrict plugin management access to the minimum necessary administrative roles.
- Monitor WordPress logs and plugin activity for unexpected privilege-sensitive actions until remediation is complete.
Evidence notes
All claims here are limited to the supplied corpus. The CVE description states: "Missing Authorization vulnerability in Magepeople inc. WpBookingly" and notes impact from n/a through 1.2.9. The provided NVD metadata lists weakness CWE-862, CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, and vulnStatus Deferred. The supplied reference URL points to a Patchstack advisory for the WpBookingly plugin. No KEV entry is present in the supplied enrichment data.
Official resources
-
CVE-2026-27405 CVE record
CVE.org
-
CVE-2026-27405 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE published 2026-05-20; modified 2026-05-20. No evidence in the supplied data of KEV inclusion or ransomware campaign use.