Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.42.
AnalysisAI
WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a category that encompasses failures to verify user permissions before allowing sensitive operations. In the context of the WP Time Slots Booking Form plugin, the root cause involves insufficient access control checks on backend functions that handle booking creation, modification, and deletion. WordPress plugins typically rely on nonce verification, capability checks (using functions like current_user_can()), and role-based access control to prevent unauthorized data manipulation. The affected plugin fails to properly implement these checks on certain API endpoints or AJAX actions, allowing unauthenticated or low-privileged users to perform administrative booking operations. The plugin architecture (CPE: cpe:2.3:a:codepeople:wp_time_slots_booking_form) indicates this is a server-side application vulnerability with network-level attack vector (CVSS AV:N), meaning the flaw is exploitable remotely without physical access or client-side dependencies.
RemediationAI
Immediately upgrade the WP Time Slots Booking Form plugin to the patched version released by CodePeople (confirm the exact safe version via the WordPress plugin repository or vendor advisory). Until patching is feasible, implement the following mitigations: disable the plugin if not actively used, restrict access to the plugin's endpoints via Web Application Firewall (WAF) rules blocking unauthenticated requests to booking modification URLs, and enforce WordPress user authentication at the web server level for any /wp-admin or plugin AJAX handler paths. Additionally, audit recent booking records and activity logs for evidence of unauthorized modification using WordPress audit plugins, and consider restricting booking form visibility to authenticated users only via conditional display logic. Monitor the CodePeople support channels and WordPress security mailing lists for patch release confirmation.
More in Wp Time Slots Booking Form
View allMissing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.11. Rated critical severity (CVSS 9.8), t
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high
SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subs
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.06. Rated high severity (CVSS 7.5), this
Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.1.76. Rated medium severity (CVSS 4.3), thi
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11967