Cyber Posture

CVE-2026-27389

CriticalUpdated

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27389 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly addresses authentication bypass via alternate paths by identifying, authorizing, and controlling permitted actions without identification or authentication.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations across all logical paths and channels, preventing exploitation of authentication bypass vulnerabilities.

IA-8 Identification and Authentication (Non-organizational Users) good match
prevent

Ensures non-organizational users, such as booking customers, are properly identified and authenticated, mitigating account takeover from authentication abuse.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

CVE describes remote unauthenticated auth bypass in public-facing WordPress plugin enabling account takeover; directly maps to T1190 for exploitation of the web app and facilitates T1078 by allowing abuse of valid accounts without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

Deeper analysisAI

CVE-2026-27389 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the WeDesignTech Ultimate Booking Addon WordPress plugin (wedesigntech-ultimate-booking-addon). This issue affects all versions from n/a through 1.0.1 and enables authentication abuse. Published on 2026-03-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows authentication abuse, leading to account takeover as described in related advisories.

Patchstack provides details on this account takeover vulnerability in WeDesignTech Ultimate Booking Addon version 1.0.1. Security practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability-2?_s_id=cve for mitigation recommendations and patch information.

Details

CWE(s)
CWE-288

CVEs Like This One

CVE-2025-26966Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2026-25357Shared CWE-288
CVE-2024-13182Shared CWE-288
CVE-2025-6895Shared CWE-288
CVE-2025-7710Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2026-27049Shared CWE-288
CVE-2025-7444Shared CWE-288
CVE-2025-7642Shared CWE-288

References