Skip to main content

Wp Time Slots Booking Form EUVDEUVD-2026-11967

| CVE-2026-32432 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11967
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.42.

AnalysisAI

WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a category that encompasses failures to verify user permissions before allowing sensitive operations. In the context of the WP Time Slots Booking Form plugin, the root cause involves insufficient access control checks on backend functions that handle booking creation, modification, and deletion. WordPress plugins typically rely on nonce verification, capability checks (using functions like current_user_can()), and role-based access control to prevent unauthorized data manipulation. The affected plugin fails to properly implement these checks on certain API endpoints or AJAX actions, allowing unauthenticated or low-privileged users to perform administrative booking operations. The plugin architecture (CPE: cpe:2.3:a:codepeople:wp_time_slots_booking_form) indicates this is a server-side application vulnerability with network-level attack vector (CVSS AV:N), meaning the flaw is exploitable remotely without physical access or client-side dependencies.

RemediationAI

Immediately upgrade the WP Time Slots Booking Form plugin to the patched version released by CodePeople (confirm the exact safe version via the WordPress plugin repository or vendor advisory). Until patching is feasible, implement the following mitigations: disable the plugin if not actively used, restrict access to the plugin's endpoints via Web Application Firewall (WAF) rules blocking unauthenticated requests to booking modification URLs, and enforce WordPress user authentication at the web server level for any /wp-admin or plugin AJAX handler paths. Additionally, audit recent booking records and activity logs for evidence of unauthorized modification using WordPress audit plugins, and consider restricting booking form visibility to authenticated users only via conditional display logic. Monitor the CodePeople support channels and WordPress security mailing lists for patch release confirmation.

Share

EUVD-2026-11967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy