Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
AnalysisAI
TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.
Technical ContextAI
TrueBooker is a WordPress appointment booking plugin (CPE: cpe:2.3:a:themetechmount:truebooker:*:*:*:*:*:*:*:*) that manages booking appointments and related booking data. The vulnerability stems from CWE-862 (Missing Authorization), indicating the application performs actions or grants access without properly verifying user permissions. WordPress plugins typically handle authorization through capability checks (e.g., current_user_can()) in REST API endpoints or admin AJAX handlers. In this case, access control validation appears to be bypassed or misconfigured entirely, allowing unauthenticated users to perform operations restricted to authenticated administrators or specific user roles.
RemediationAI
Update TrueBooker to the patched version released after 1.1.5 as indicated by the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve. If immediate patching is not feasible, disable the TrueBooker plugin until the update is available, or restrict REST API and AJAX endpoints to authenticated users via Web Application Firewall rules. Review server access logs for suspicious requests to booking endpoints prior to patch deployment to identify potential exploitation.
More in Truebooker
View allThe TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeT
The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20334
GHSA-h6c7-94pp-2gpq