CVE-2026-27388
Published: 05 March 2026
Summary
CVE-2026-27388 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-27388 is a missing authorization vulnerability, mapped to CWE-862, in the DesignThemes Booking Manager WordPress plugin (designthemes-booking-manager). It enables exploitation of incorrectly configured access control security levels and affects all versions from n/a through 2.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high severity with a primary impact on availability.
Unauthenticated attackers can exploit this issue over the network with low attack complexity and no user interaction. Exploitation results in high-impact denial of service, potentially disrupting site functionality without affecting confidentiality or integrity.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/designthemes-booking-manager/vulnerability/wordpress-designthemes-booking-manager-plugin-2-0-broken-access-control-vulnerability?_s_id=cve documents the broken access control vulnerability in plugin version 2.0 and provides further details for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9640
Vulnerability details
Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables unauthenticated network exploitation for high-impact DoS via application abuse.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for logical access to information and system resources, directly mitigating the missing authorization vulnerability that allows unauthenticated DoS exploitation.
SI-2 requires organizations to identify, report, and correct flaws like this broken access control vulnerability in the WordPress plugin, preventing exploitation through timely patching.
SC-5 employs technical mechanisms to detect and prevent denial-of-service attacks, addressing the high availability impact from unauthenticated exploitation of this vulnerability.