Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16.
AnalysisAI
Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.
Technical ContextAI
Arraytics Booktics is a WordPress plugin that implements booking functionality. The vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to perform authorization checks before allowing sensitive operations. WordPress plugins execute in the context of the wp-admin or wp-frontend environments and typically rely on WordPress's built-in capability system (roles: Administrator, Editor, Author, Contributor, Subscriber) to gate access to plugin functions. This plugin's access control mechanism is misconfigured, permitting users (potentially unauthenticated) to perform modification actions that should be restricted to authorized roles. The CPE identifier cpe:2.3:a:arraytics:booktics:*:*:*:*:*:*:*:* confirms the affected product scope.
RemediationAI
Update Arraytics Booktics to a version above 1.0.16 once a patched release is available from the vendor. Interim mitigation for sites unable to patch immediately includes restricting access to the Booktics plugin via WordPress user role management, ensuring only trusted administrators and designated booking managers have access to sensitive plugin functions, and implementing Web Application Firewall (WAF) rules to block unauthorized access to plugin endpoints (typically /wp-admin/admin-ajax.php requests with Booktics action parameters). Monitor the Patchstack vulnerability advisory (https://patchstack.com/database/Wordpress/Plugin/booktics/vulnerability/wordpress-booktics-plugin-1-0-16-broken-access-control-vulnerability?_s_id=cve) for patch availability and implementation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20225
GHSA-m6q8-fqwc-9pp4