Skip to main content

Truebooker EUVDEUVD-2026-20334

| CVE-2026-39663 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-h6c7-94pp-2gpq
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20334
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.

AnalysisAI

TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.

Technical ContextAI

TrueBooker is a WordPress appointment booking plugin (CPE: cpe:2.3:a:themetechmount:truebooker:*:*:*:*:*:*:*:*) that manages booking appointments and related booking data. The vulnerability stems from CWE-862 (Missing Authorization), indicating the application performs actions or grants access without properly verifying user permissions. WordPress plugins typically handle authorization through capability checks (e.g., current_user_can()) in REST API endpoints or admin AJAX handlers. In this case, access control validation appears to be bypassed or misconfigured entirely, allowing unauthenticated users to perform operations restricted to authenticated administrators or specific user roles.

RemediationAI

Update TrueBooker to the patched version released after 1.1.5 as indicated by the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve. If immediate patching is not feasible, disable the TrueBooker plugin until the update is available, or restrict REST API and AJAX endpoints to authenticated users via Web Application Firewall rules. Review server access logs for suspicious requests to booking endpoints prior to patch deployment to identify potential exploitation.

Share

EUVD-2026-20334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy