CVE Catalog

CVE-2026-8690

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

The RentMy Real-Time Rental Management Plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action.

Risk Assessment

Unauthenticated attackers can read, create, update, and delete event records, as well as overwrite the rentmy_locationId option, potentially leading to serious data breaches.

Recommendation

It is recommended to update the plugin to the latest version to mitigate the security vulnerability and implement additional authorization mechanisms.

Original NVD description (English source)

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS