Cyber Resilience

CVE-2026-27389

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27389 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27389 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the WeDesignTech Ultimate Booking Addon WordPress plugin (wedesigntech-ultimate-booking-addon). This issue affects all versions from n/a through 1.0.1 and enables authentication abuse. Published on 2026-03-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows authentication abuse, leading to account takeover as described in related advisories.

Patchstack provides details on this account takeover vulnerability in WeDesignTech Ultimate Booking Addon version 1.0.1. Security practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability-2?_s_id=cve for mitigation recommendations and patch information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

CVE describes remote unauthenticated auth bypass in public-facing WordPress plugin enabling account takeover; directly maps to T1190 for exploitation of the web app and facilitates T1078 by allowing abuse of valid accounts without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-6895Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2025-26966Shared CWE-288
CVE-2024-13182Shared CWE-288
CVE-2025-23504Shared CWE-288
CVE-2025-7444Shared CWE-288
CVE-2025-7642Shared CWE-288
CVE-2025-8359Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2025-1061Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses authentication bypass via alternate paths by identifying, authorizing, and controlling permitted actions without identification or authentication.

prevent

Enforces approved access authorizations across all logical paths and channels, preventing exploitation of authentication bypass vulnerabilities.

prevent

Ensures non-organizational users, such as booking customers, are properly identified and authenticated, mitigating account takeover from authentication abuse.

References