The WP BASE Booking plugin contains a critical unauthenticated privilege escalation flaw that allows attackers to gain administrative access to the platform.

This is a privilege escalation vulnerability that does not require prior authentication. By targeting the booking plugin, an attacker can manipulate user roles or permissions, effectively bypassing existing access controls.

A CVSS score of 8.1 reflects the severe risk of unauthorized administrative access. This compromise could allow an attacker to seize control of the entire WordPress installation, modify site content, and access sensitive customer data, resulting in significant reputational and operational damage.

Immediate Action: Update the WP BASE Booking plugin to the latest vendor-patched version immediately.

Proactive Monitoring: Review administrative user lists for unauthorized accounts and monitor audit logs for unexpected privilege changes.

Compensating Controls: Restrict access to the booking management interface using IP allowlisting or additional WAF policies until the vulnerability is patched.

Public Exploit Available: false

Given that this vulnerability allows for unauthenticated privilege escalation, it must be addressed as a top priority. Administrators should audit their user accounts immediately to ensure no unauthorized administrative accounts have been created.