CVE-2026-8690 rentmy CVE debrief

Who should care

WordPress users who have installed the RentMy Real-Time Rental Management Plugin, especially those with versions up to and including 4.0.4.1, should be aware of this vulnerability. Site administrators and security teams should prioritize patching or mitigating this vulnerability to prevent potential unauthorized access to event records and location settings.

Technical summary

The RentMy Real-Time Rental Management Plugin for WordPress is vulnerable to an authorization bypass due to inadequate verification of user authorization. This allows unauthenticated attackers to perform actions such as reading, creating, updating, and deleting event records stored in the rentmy_events WordPress option. The vulnerability also enables attackers to overwrite the rentmy_locationId option. The issue is tracked under CVE-2026-8690 and has a CVSS score of 5.3, indicating a MEDIUM severity level.

Defensive priority

Patching the RentMy Real-Time Rental Management Plugin to a version beyond 4.0.4.1 is crucial to mitigate this authorization bypass vulnerability. In the interim, site administrators can implement additional monitoring and logging to detect potential exploitation attempts.

Recommended defensive actions

• Patch the RentMy Real-Time Rental Management Plugin to the latest version.
• Implement Web Application Firewall (WAF) rules to detect and block suspicious traffic.
• Enhance monitoring and logging to detect potential exploitation attempts.
• Conduct regular security audits and vulnerability assessments.
• Restrict access to sensitive areas of the WordPress site.

Evidence notes

The CVE record for CVE-2026-8690 was obtained from the official CVE.org website. Additional details were sourced from the National Vulnerability Database (NVD) and Wordfence security research. The vulnerability is caused by inadequate authorization checks in the RentMy Real-Time Rental Management Plugin for WordPress.

Official resources