Cyber Resilience

CVE-2026-27390

High

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 37.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27390 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27390 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the WeDesignTech Ultimate Booking Addon WordPress plugin (wedesigntech-ultimate-booking-addon). This issue affects all versions from n/a through 1.0.1 and allows Authentication Abuse. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. Successful exploitation enables account takeover, granting attackers high-level access to compromise confidentiality, integrity, and availability of affected systems.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability?_s_id=cve provides further details on this account takeover vulnerability, including potential mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass/account takeover in public-facing WordPress plugin directly enables T1190 (exploit public-facing app), T1068 (priv esc from low-priv auth user), and T1078 (valid account takeover).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67998Shared CWE-288
CVE-2025-6895Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2026-24206Shared CWE-288
CVE-2025-26966Shared CWE-288
CVE-2024-13182Shared CWE-288
CVE-2025-23504Shared CWE-288
CVE-2026-24359Shared CWE-288
CVE-2025-7444Shared CWE-288
CVE-2025-7642Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific authentication bypass flaw in the WeDesignTech Ultimate Booking Addon plugin directly prevents exploitation of the alternate path vulnerability.

prevent

Enforcing approved authorizations for all logical access paths comprehensively blocks authentication bypass via alternate channels in plugins.

prevent

Restricting low-privileged users to only necessary privileges limits the impact of account takeover even if the bypass is exploited.

References