Skip to main content

Booked CVE-2026-57746

| EUVDEUVD-2026-41302 HIGH
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-wjq5-2fc7-77v9
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Network-reachable plugin action with a low-privilege (Subscriber) account and no interaction gives AV:N/AC:L/PR:L/UI:N; missing authorization exposes sensitive data (C:H) with limited writes (I:L) and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:25 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Booked <= 3.0.0 versions.

AnalysisAI

Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Send crafted request to Booked action
Exploit
Missing authorization check bypassed
Execution
Access or alter restricted booking data
Impact
Exfiltrate confidential appointment information

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated WordPress account at Subscriber level or higher on a site running the Booked plugin version 3.0.0 or earlier (PR:L in the CVSS vector confirms authenticated, not pre-auth, access). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N): network-reachable, low complexity, no user interaction, but requiring a low-privileged account, with high confidentiality and low integrity impact and no availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or already holds) a Subscriber-level account on a WordPress site running Booked <= 3.0.0, then sends a crafted authenticated request to a Booked plugin action that lacks a capability check. Because no authorization is enforced, the request returns or manipulates data the Subscriber should not access, chiefly disclosing confidential booking/appointment information (C:H) with some limited write impact (I:L). …
Remediation No vendor-released patch version is identified in the available data, so confirm the fixed release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve) and update to any version above 3.0.0 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running Booked plugin and verify current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy