CVE-2026-52699

VikRentCar Car Rental Management System <= 1.4.5 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.4.6
Patched in
9d
Time to patch

Description

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.5
PublishedJune 10, 2026
Last updatedJune 18, 2026
Affected pluginvikrentcar

What Changed in the Fix

Changes introduced in v1.4.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-52699 ## 1. Vulnerability Summary **CVE-2026-52699** is an **Unauthenticated Insecure Direct Object Reference (IDOR)** vulnerability in the **VikRentCar Car Rental Management System** plugin for WordPress (versions <= 1.4.5). The vulnerability exists because t…

Show full research plan

Exploitation Research Plan: CVE-2026-52699

1. Vulnerability Summary

CVE-2026-52699 is an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in the VikRentCar Car Rental Management System plugin for WordPress (versions <= 1.4.5). The vulnerability exists because the plugin's request dispatcher fails to enforce administrative capability checks before executing controller tasks and, in specific state-changing methods, lacks validation of the user-controlled id key against a security token (nonce). This allows an unauthenticated attacker to perform unauthorized actions, such as modifying or deleting system resources (e.g., rental locations/places), by manipulating the id parameter in a request to the plugin's entry point.

2. Attack Vector Analysis

  • Entry Point: The plugin routes requests via the option=com_vikrentcar parameter, typically handled during the init or wp_loaded hook. Requests can be sent to index.php or wp-admin/admin-ajax.php.
  • Vulnerable Tasks:
    • Primary: deleteplace, publishplace, unpublishplace (Inferred tasks likely missing token checks).
    • Secondary: updateplace, updateplaceapply (In admin/controller.php, these check JSession::checkToken(), but if the dispatcher lacks an is_admin() check and the token
Research Findings
Static analysis — not yet PoC-verified

Summary

The VikRentCar plugin fails to perform administrative capability checks and nonce validation on several state-changing controller tasks. This allows unauthenticated attackers to perform unauthorized actions, such as deleting or modifying rental locations, by manipulating the 'id' parameter in requests routed through the plugin's dispatcher.

Vulnerable Code

// admin/controller.php

public function updateplace()
{
    // Missing administrative capability check
    if (!JSession::checkToken()) {
        throw new Exception(JText::translate('JINVALID_TOKEN'), 403);
    }
    $this->do_updateplace();
}

---

// Specific tasks mentioned in research (inferred from VikRentCarController tasks)
// These tasks often lack both the checkToken() and authorize() calls found in other methods

public function deleteplace() {
    $id = VikRequest::getInt('id', 0, 'request');
    // Missing JSession::checkToken() and JFactory::getUser()->authorise()
    $dbo = JFactory::getDbo();
    $q = "DELETE FROM `#__vikrentcar_places` WHERE `id`=".$id;
    $dbo->setQuery($q);
    $dbo->execute();
    // ... (truncated)

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/vikrentcar/1.4.5/admin/controller.php	2025-11-26 14:36:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/vikrentcar/1.4.6/admin/controller.php	2026-05-25 13:12:02.000000000 +0000
@@ -8517,6 +8517,165 @@
 	}
 
 	/**
+	 * Hidden task to scan all database tables of VikRentCar to ensure the column `id` is
+	 * defined as a primary key and got an auto-increment extra flag properly defined and set.
+	 * 
+	 * @since 	1.15.9 (J) - 1.4.6 (WP)
+	 */
+	public function fix_autoincrement_tables()
+	{
+		if (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) {
+			VRCHttpDocument::getInstance()->close(403, JText::translate('JERROR_ALERTNOAUTHOR'));
+		}
+
+		$dbo = JFactory::getDbo();
+        // ... (truncated)
+	}
+
+	/**
+	 * Hidden task to (re-)run the update queries from a given plugin version.
+	 * 
+	 * @since 	1.15.9 (J) - 1.4.6 (WP)
+	 */
+	public function run_update_queries()
+	{
+		$app = JFactory::getApplication();
+		$dbo = JFactory::getDbo();
+
+		if (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) {
+			VRCHttpDocument::getInstance($app)->close(403, JText::translate('JERROR_ALERTNOAUTHOR'));
+		}
+        // ... (truncated)

Exploit Outline

1. Identify the target site and a valid 'id' for a rental location (e.g., through front-end enumeration or incremental guessing). 2. Construct a GET or POST request to the plugin entry point (index.php?option=com_vikrentcar) or administrative AJAX endpoint (wp-admin/admin-ajax.php?action=vikrentcar). 3. Set the 'task' parameter to a destructive or state-changing action, such as 'deleteplace', 'unpublishplace', or 'publishplace'. 4. Include the 'id' parameter set to the target resource identifier. 5. Send the request without any authentication headers or session cookies. 6. Because the controller fails to check user capabilities or nonces for these tasks, the plugin executes the requested database operation on the resource specified by the 'id' parameter.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.