Skip to main content

Booked WordPress Plugin CVE-2026-57747

| EUVDEUVD-2026-41303 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-4438-c9gx-hx64
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

CSRF requires no attacker privileges (PR:N) and no special conditions (AC:L), but victim interaction is mandatory (UI:R); impact is purely availability with no confidentiality or integrity breach.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:31 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Booked <= 3.0.0 versions.

AnalysisAI

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target WordPress site running Booked <= 3.0.0
Delivery
Craft malicious page with auto-submitting forged form targeting Booked endpoints
Exploit
Deliver phishing lure to authenticated WordPress user
Install
Victim visits attacker page
C2
Browser sends forged request with victim's session cookies
Execute
Booked processes request without CSRF validation
Impact
Availability-impacting action executed

Vulnerability AssessmentAI

Exploitation The target user must be authenticated to the WordPress site (holding an active session cookie with sufficient privileges to perform the targeted Booked plugin action) at the time they visit the attacker-controlled page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 Medium with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H reflects a network-reachable attack requiring no privileges to stage (PR:N) but mandating victim interaction (UI:R), which meaningfully limits exploitation compared to fully passive vectors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious webpage containing hidden HTML forms or JavaScript that automatically submits forged HTTP requests to the target WordPress site's Booked plugin endpoints. When an authenticated WordPress administrator or editor visits the attacker's page - via phishing email, social media link, or malvertising - their browser silently sends the forged request using their active session cookies, causing the plugin to execute the destructive action (such as deleting all appointments) without any CSRF token validation rejecting it.
Remediation The primary remediation is to update the Booked plugin beyond version 3.0.0 as soon as a patched release is available from Themerex or the WordPress plugin repository; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability should be monitored for the confirmed fixed version, which was not independently confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy