VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 12 known issues Latest disclosed Mar 23, 2026

Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerabilities

Review known vulnerability records for the WordPress plugin Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment (`booking-and-rental-manager-for-woocommerce`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-23972, CVE-2025-69328 and CVE-2025-49904, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
12
High or Critical
5
Patch Coverage
100%
Last Updated
Apr 02, 2026
Related Security Guides

Use these guides while reviewing Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening
WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.
Plugin Security
WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.
Scanning
WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.
Patch Decision Workflow

How to prioritize Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records
12
1. Match the Package
Confirm the installed WordPress plugin slug is booking-and-rental-manager-for-woocommerce before acting on any CVE from this cluster.
2. Sort by Severity
Start with 5 high or critical records, then review medium and unrated findings with public references.
3. Check Patch Evidence
12 records include a patch path; verify compatibility before closing the finding.
4. Monitor Gaps
0 records still lack a listed fixed release, so keep this hub in the review queue.
High-Signal Remediation Targets
CVE-2025-27011 High
Local File Inclusion remediation for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Affected range: Versions up to 2.2.8. Fixed version: 2.2.9.

CVE-2025-26921 High
Vulnerability remediation for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Affected range: Versions up to 2.2.6. Fixed version: 2.2.7.

CVE-2025-69328 High
Vulnerability remediation for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Affected range: Versions up to 2.5.9. Fixed version: 2.6.0.

CVE-2025-64266 High
Vulnerability remediation for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Affected range: Versions up to 2.5.4. Fixed version: 2.5.5.

Priority CVE Quick Links

Fast paths into Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
12
Tracked CVE Issue Type Affected Versions Fixed Version CVSS
CVE-2025-27011
Booking and Rental Manager <= 2.2.8 - Authenticated (Contributor+) Local File Inclus...
 Local File Inclusion Versions up to 2.2.8 2.2.9 CVSS 8.8
CVE-2025-26921
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment...
 Vulnerability Versions up to 2.2.6 2.2.7 CVSS 8.8
CVE-2025-69328
Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Inject...
 Vulnerability Versions up to 2.5.9 2.6.0 CVSS 7.5
CVE-2025-64266
Booking and Rental Manager <= 2.5.4 - Authenticated (Contributor+) PHP Object Inject...
 Vulnerability Versions up to 2.5.4 2.5.5 CVSS 7.5
CVE-2025-49904
Booking and Rental Manager <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting
 Stored Cross-Site Scripting Versions up to 2.5.3 2.5.4 CVSS 7.2
CVE-2024-12412
Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration...
 Stored Cross-Site Scripting Versions up to 2.2.1 2.2.2 CVSS 6.1
CVE-2025-47585
Booking and Rental Manager <= 2.3.8 - Missing Authorization
 Vulnerability Versions up to 2.3.8 2.3.9 CVSS 5.3
CVE-2025-39390
Booking and Rental Manager <= 2.3.6 - Missing Authorization
 Vulnerability Versions up to 2.3.6 2.3.7 CVSS 5.3
CVE-2025-27011 High 2.2.9
CVE-2025-27011 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Local File Inclusion

Booking and Rental Manager <= 2.2.8 - Authenticated (Contributor+) Local File Inclusion

CVE-2025-26921 High 2.2.7
CVE-2025-26921 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerability

Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment <= 2.2.6 - Authenticated (Contributor+) PHP Object Injection

CVE-2025-69328 High 2.6.0
CVE-2025-69328 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerability

Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection

CVE-2025-64266 High 2.5.5
CVE-2025-64266 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerability

Booking and Rental Manager <= 2.5.4 - Authenticated (Contributor+) PHP Object Injection

CVE-2025-49904 High 2.5.4
CVE-2025-49904 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Stored Cross-Site Scripting

Booking and Rental Manager <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting

CVE-2024-12412 Medium 2.2.2
CVE-2024-12412 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Stored Cross-Site Scripting

Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin <= 2.2.1 - Reflected Cross-Site Scripting

CVE-2025-47585 Medium 2.3.9
CVE-2025-47585 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerability

Booking and Rental Manager <= 2.3.8 - Missing Authorization

CVE-2025-39390 Medium 2.3.7
CVE-2025-39390 Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment Vulnerability

Booking and Rental Manager <= 2.3.6 - Missing Authorization

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
12 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 5 high severity findings.
Recent CVEs
CVE-2026-23972, CVE-2025-69328 and CVE-2025-49904
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-23972
CVE-2026-23972: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment <= 2.6.0 - Missing Authorization

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.0. This makes it possible for authenticated...

Published
Mar 23, 2026
Patched Release
2.6.1
Affected Versions
Versions up to 2.6.0
Next Step
Update to 2.6.1 or newer if supported.
Review CVE-2026-23972 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-69328
CVE-2025-69328: Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection

The Booking and Rental Manager plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.5.9 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP O...

Published
Feb 09, 2026
Patched Release
2.6.0
Affected Versions
Versions up to 2.5.9
Next Step
Update to 2.6.0 or newer if supported.
Review CVE-2025-69328 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-49904
CVE-2025-49904: Booking and Rental Manager <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting

The Booking and Rental Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

Published
Nov 01, 2025
Patched Release
2.5.4
Affected Versions
Versions up to 2.5.3
Next Step
Update to 2.5.4 or newer if supported.
Review CVE-2025-49904 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-64266
CVE-2025-64266: Booking and Rental Manager <= 2.5.4 - Authenticated (Contributor+) PHP Object Injection

The Booking and Rental Manager plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.5.4 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP O...

Published
Sep 20, 2025
Patched Release
2.5.5
Affected Versions
Versions up to 2.5.4
Next Step
Update to 2.5.5 or newer if supported.
Review CVE-2025-64266 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-47585
CVE-2025-47585: Booking and Rental Manager <= 2.3.8 - Missing Authorization

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticat...

Published
May 22, 2025
Patched Release
2.3.9
Affected Versions
Versions up to 2.3.8
Next Step
Update to 2.3.9 or newer if supported.
Review CVE-2025-47585 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39390
CVE-2025-39390: Booking and Rental Manager <= 2.3.6 - Missing Authorization

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.6. This makes it possible for unauthenticat...

Published
Apr 18, 2025
Patched Release
2.3.7
Affected Versions
Versions up to 2.3.6
Next Step
Update to 2.3.7 or newer if supported.
Review CVE-2025-39390 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39457
CVE-2025-39457: Booking and Rental Manager <= 2.2.8 - Missing Authorization

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.8. This makes it possible for unauthenticat...

Published
Apr 17, 2025
Patched Release
2.2.9
Affected Versions
Versions up to 2.2.8
Next Step
Update to 2.2.9 or newer if supported.
Review CVE-2025-39457 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-27011
CVE-2025-27011: Booking and Rental Manager <= 2.2.8 - Authenticated (Contributor+) Local File Inclusion

The Booking and Rental Manager plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, al...

Published
Apr 11, 2025
Patched Release
2.2.9
Affected Versions
Versions up to 2.2.8
Next Step
Update to 2.2.9 or newer if supported.
Review CVE-2025-27011 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-26921
CVE-2025-26921: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment <= 2.2.6 - Authenticated (Contributor+) PHP Object Injection

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.6 via deserialization of untrusted input. This makes it possible for authenticated attacke...

Published
Feb 23, 2025
Patched Release
2.2.7
Affected Versions
Versions up to 2.2.6
Next Step
Update to 2.2.7 or newer if supported.
Review CVE-2025-26921 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-22720
CVE-2025-22720: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress <= 2.2.1 - Missing Authorization

The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticat...

Published
Jan 15, 2025
Patched Release
2.2.2
Affected Versions
Versions up to 2.2.1
Next Step
Update to 2.2.2 or newer if supported.
Review CVE-2025-22720 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12412
CVE-2024-12412: Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin <= 2.2.1 - Reflected Cross-Site Scripting

The Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘active_tab’ parameter in all versions up to, and including, 2.2.1 due to insufficient...

Published
Jan 10, 2025
Patched Release
2.2.2
Affected Versions
Versions up to 2.2.1
Next Step
Update to 2.2.2 or newer if supported.
Review CVE-2024-12412 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-35048
CVE-2023-35048: Booking and Rental Manager <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Booking and Rental Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with adminis...

Published
Jun 13, 2023
Patched Release
1.2.2
Affected Versions
Versions up to 1.2.1
Next Step
Update to 1.2.2 or newer if supported.
Review CVE-2023-35048 fixed version details Open CVE Reference