CVE-2026-57660 Overview
CVE-2026-57660 is an unauthenticated broken access control vulnerability affecting the Booking and Rental Manager for WooCommerce WordPress plugin in versions up to and including 2.7.1. The flaw stems from missing authorization checks [CWE-862] on plugin endpoints, allowing remote attackers to interact with functionality that should require authenticated access. Exploitation requires no user interaction and can be performed over the network without credentials. The impact is limited to integrity, with no confidentiality or availability effects reported.
Critical Impact
Remote unauthenticated attackers can modify plugin data or trigger restricted actions on WordPress sites running vulnerable Booking and Rental Manager versions.
Affected Products
- Booking and Rental Manager for WooCommerce plugin versions <= 2.7.1
- WordPress sites with the plugin installed and activated
- WooCommerce-based booking and rental sites relying on this plugin
Discovery Timeline
- 2026-06-26 - CVE-2026-57660 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-57660
Vulnerability Analysis
The vulnerability is a broken access control issue [CWE-862] in the Booking and Rental Manager for WooCommerce plugin. One or more plugin actions do not verify the requester's capabilities or authentication state before executing sensitive logic. As a result, unauthenticated network attackers can invoke functionality intended for privileged users. The scope of impact is limited to low integrity effects, indicating that attackers can modify certain data but cannot read protected information or crash the site.
Root Cause
The root cause is missing authorization enforcement on plugin request handlers. WordPress plugins commonly expose AJAX or REST endpoints that must validate both a nonce and a capability check such as current_user_can(). In this plugin, those checks are absent or insufficient for the affected actions, allowing any anonymous HTTP client to reach protected logic.
Attack Vector
An attacker sends crafted HTTP requests to the vulnerable plugin endpoints on a WordPress site running version 2.7.1 or earlier. Because the requests do not require authentication, exploitation can be automated at scale against exposed WordPress installations. No detailed proof-of-concept is publicly available at this time. For additional technical detail, see the Patchstack Vulnerability Report.
No verified exploit code is available. The vulnerability mechanism involves invoking plugin action handlers that fail to enforce capability checks before performing state changes.
Detection Methods for CVE-2026-57660
Indicators of Compromise
- Unauthenticated HTTP POST or GET requests to Booking and Rental Manager plugin action handlers, particularly admin-ajax.php calls referencing plugin-specific actions.
- Unexpected modifications to booking, rental, or reservation records in the WordPress database without a corresponding authenticated admin session.
- Web server access logs showing repeated requests to plugin endpoints from a small set of source IP addresses.
Detection Strategies
- Review WordPress access logs for anonymous requests targeting plugin routes and correlate against authenticated admin sessions.
- Enable WordPress audit logging to record changes to plugin-managed content types and configuration.
- Deploy a Web Application Firewall (WAF) rule to alert on requests to Booking and Rental Manager action endpoints originating without valid authentication cookies.
Monitoring Recommendations
- Monitor for anomalous booking or rental record creation, modification, or deletion outside of normal business patterns.
- Track HTTP 200 responses from plugin AJAX endpoints when the request lacks a wordpress_logged_in_* cookie.
- Alert on spikes in traffic to admin-ajax.php referencing the plugin's action names.
How to Mitigate CVE-2026-57660
Immediate Actions Required
- Identify all WordPress sites running Booking and Rental Manager for WooCommerce version 2.7.1 or earlier and prioritize them for update.
- Apply the vendor-supplied patch as soon as a fixed release is available from the plugin author.
- Restrict access to the WordPress admin and AJAX endpoints from untrusted networks where feasible.
Patch Information
A patched version beyond 2.7.1 should be obtained from the plugin vendor. Refer to the Patchstack Vulnerability Report for the authoritative fixed version and remediation guidance.
Workarounds
- Deactivate the Booking and Rental Manager for WooCommerce plugin until a patched version is installed if the feature is not business critical.
- Apply WAF virtual patching rules that block unauthenticated requests to the plugin's action handlers.
- Enforce IP allow-listing on /wp-admin/admin-ajax.php for administrative source ranges where booking functionality is only used internally.
# Configuration example: block unauthenticated access to plugin AJAX actions via nginx
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "^(brm_|booking_rental_)") {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

