Skip to main content

TrueBooker CVE-2026-48881

| EUVDEUVD-2026-36856 CRITICAL
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-cwvg-5ch6-2hq6
9.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Unauthenticated remote HTTP request to a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); missing authorization exposes and mutates booking data (C:H/I:H) but no availability impact stated (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:46 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.

AnalysisAI

Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Technical ContextAI

TrueBooker is a commercial WordPress appointment-booking plugin distributed by ThemeTechMount (CPE cpe:2.3:a:themetechmount:truebooker). The root cause is CWE-862 (Missing Authorization): one or more plugin AJAX/REST endpoints execute sensitive booking-management actions without performing the required capability checks (e.g., current_user_can) or nonce-bound authorization. In typical WordPress plugin patterns this means the handler is wired through wp_ajax_nopriv_ or an unauthenticated rest_api_init route, so requests are processed before any access-control gate is applied.

RemediationAI

Upgrade TrueBooker to a version greater than 1.1.9 once ThemeTechMount publishes a fixed release - the Patchstack record at https://patchstack.com/database/wordpress/plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-9-broken-access-control-vulnerability is the canonical reference and should be checked for the patched version. Until a patched build is confirmed, deactivate the TrueBooker plugin if appointment booking is non-essential (side effect: booking functionality offline); alternatively, restrict access to the WordPress admin-ajax.php and /wp-json/ endpoints exposed by the plugin using a WAF rule or Patchstack/Wordfence virtual patch, accepting that broad rules may block legitimate AJAX traffic for other plugins. Disabling unauthenticated REST API access site-wide is another option but will break logged-out features of other plugins and themes.

Share

CVE-2026-48881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy