CVE-2025-39390: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in magepeopleteam's Booking and Rental Manager WordPress plugin, affecting versions through 2.3.8. The vulnerability was publicly disclosed on April 18, 2025, and was assigned CVE-2025-39390. The issue allows unauthenticated attackers to perform unauthorized actions due to missing capability checks in certain plugin functions (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it can be exploited over the network, requires low attack complexity, and needs no privileges or user interaction (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within the plugin's functionality. The impact is primarily focused on integrity (I:L), with no direct effect on confidentiality or availability (Patchstack).

The vulnerability has been fixed in version 2.3.7 of the Booking and Rental Manager plugin. Users are advised to update to version 2.3.7 or later to remediate the security issue. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).