Description

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.

Severity (CVSS)

Base score5.3
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Provided byCNA

Weaknesses

  • CWE-862 — CWE-862 Missing Authorization

Affected products

VendorProductVersions
rentmyRentMy Real-Time Rental Management Plugin0 to <=4.0.4.1

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 24 Jun 2026 09:35 UTC.