CVE-2026-23972 identifies a Missing Authorization vulnerability in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, affecting all versions up to and including 2.6.0. The core issue stems from incorrectly configured access control security levels, which fail to properly verify whether a user is authorized to perform certain actions within the booking system. This misconfiguration can allow an attacker to bypass authorization checks, potentially enabling unauthorized access to sensitive booking data or the ability to manipulate bookings. Since the vulnerability relates to access control, it directly impacts the confidentiality and integrity of the system. The plugin is widely used in WooCommerce environments to manage bookings and rentals, making it a critical component for many e-commerce businesses. No CVSS score has been assigned yet, and there are no known exploits in the wild, but the vulnerability is publicly disclosed and should be considered a significant risk. The lack of authentication requirements for exploitation increases the attack surface. The vendor has not yet provided patches, so mitigation currently relies on compensating controls and monitoring. This vulnerability highlights the importance of rigorous access control validation in web applications, especially those handling sensitive transactional data.

The impact of CVE-2026-23972 is significant for organizations using the magepeopleteam Booking and Rental Manager plugin. Unauthorized users could exploit this vulnerability to access or modify booking and rental data, potentially leading to data breaches, fraudulent bookings, or service disruptions. This could damage customer trust, result in financial losses, and expose organizations to regulatory penalties related to data protection laws. The integrity of booking information is critical for operational continuity in sectors such as hospitality, car rentals, and event management. Since the vulnerability does not require authentication, attackers can exploit it remotely without prior access, increasing the likelihood of exploitation. The absence of a patch at this time means organizations remain exposed until a fix is released and applied. The scope of affected systems is limited to WooCommerce sites using this specific plugin, but given WooCommerce's global popularity, the number of potentially impacted organizations is substantial.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict access to the Booking and Rental Manager plugin's administrative and booking management interfaces using web application firewalls (WAFs) or IP whitelisting to limit exposure. 2) Audit and tighten user roles and permissions within WooCommerce to ensure only trusted users have access to booking management functions. 3) Monitor logs for unusual or unauthorized access attempts related to booking management endpoints. 4) Consider temporarily disabling the plugin if feasible or replacing it with alternative booking solutions with verified security. 5) Engage with the vendor for updates and apply patches immediately upon release. 6) Conduct penetration testing focused on access control mechanisms to identify any other potential weaknesses. These targeted actions go beyond generic advice by focusing on access restriction, monitoring, and proactive vendor engagement.