CVE-2026-8690
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
The RentMy Real-Time Rental Management Plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action.
Risk Assessment
Unauthenticated attackers can read, create, update, and delete event records, as well as overwrite the rentmy_locationId option, potentially leading to serious data breaches.
Recommendation
It is recommended to update the plugin to the latest version to mitigate the security vulnerability and implement additional authorization mechanisms.
Original NVD description (English source)
The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.

