Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Network-reachable plugin action with a low-privilege (Subscriber) account and no interaction gives AV:N/AC:L/PR:L/UI:N; missing authorization exposes sensitive data (C:H) with limited writes (I:L) and no availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Booked <= 3.0.0 versions.
AnalysisAI
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated WordPress account at Subscriber level or higher on a site running the Booked plugin version 3.0.0 or earlier (PR:L in the CVSS vector confirms authenticated, not pre-auth, access). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N): network-reachable, low complexity, no user interaction, but requiring a low-privileged account, with high confidentiality and low integrity impact and no availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or already holds) a Subscriber-level account on a WordPress site running Booked <= 3.0.0, then sends a crafted authenticated request to a Booked plugin action that lacks a capability check. Because no authorization is enforced, the request returns or manipulates data the Subscriber should not access, chiefly disclosing confidential booking/appointment information (C:H) with some limited write impact (I:L). … |
| Remediation | No vendor-released patch version is identified in the available data, so confirm the fixed release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve) and update to any version above 3.0.0 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running Booked plugin and verify current version numbers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitra
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId
Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-imp
Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41302
GHSA-wjq5-2fc7-77v9