Skip to main content

Booktics CVE-2026-39585

| EUVDEUVD-2026-20225 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-m6q8-fqwc-9pp4
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20225
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16.

AnalysisAI

Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.

Technical ContextAI

Arraytics Booktics is a WordPress plugin that implements booking functionality. The vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to perform authorization checks before allowing sensitive operations. WordPress plugins execute in the context of the wp-admin or wp-frontend environments and typically rely on WordPress's built-in capability system (roles: Administrator, Editor, Author, Contributor, Subscriber) to gate access to plugin functions. This plugin's access control mechanism is misconfigured, permitting users (potentially unauthenticated) to perform modification actions that should be restricted to authorized roles. The CPE identifier cpe:2.3:a:arraytics:booktics:*:*:*:*:*:*:*:* confirms the affected product scope.

RemediationAI

Update Arraytics Booktics to a version above 1.0.16 once a patched release is available from the vendor. Interim mitigation for sites unable to patch immediately includes restricting access to the Booktics plugin via WordPress user role management, ensuring only trusted administrators and designated booking managers have access to sensitive plugin functions, and implementing Web Application Firewall (WAF) rules to block unauthorized access to plugin endpoints (typically /wp-admin/admin-ajax.php requests with Booktics action parameters). Monitor the Patchstack vulnerability advisory (https://patchstack.com/database/Wordpress/Plugin/booktics/vulnerability/wordpress-booktics-plugin-1-0-16-broken-access-control-vulnerability?_s_id=cve) for patch availability and implementation guidance.

Share

CVE-2026-39585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy