Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unauthenticated remote HTTP request to a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); missing authorization exposes and mutates booking data (C:H/I:H) but no availability impact stated (A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
AnalysisAI
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Technical ContextAI
TrueBooker is a commercial WordPress appointment-booking plugin distributed by ThemeTechMount (CPE cpe:2.3:a:themetechmount:truebooker). The root cause is CWE-862 (Missing Authorization): one or more plugin AJAX/REST endpoints execute sensitive booking-management actions without performing the required capability checks (e.g., current_user_can) or nonce-bound authorization. In typical WordPress plugin patterns this means the handler is wired through wp_ajax_nopriv_ or an unauthenticated rest_api_init route, so requests are processed before any access-control gate is applied.
RemediationAI
Upgrade TrueBooker to a version greater than 1.1.9 once ThemeTechMount publishes a fixed release - the Patchstack record at https://patchstack.com/database/wordpress/plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-9-broken-access-control-vulnerability is the canonical reference and should be checked for the patched version. Until a patched build is confirmed, deactivate the TrueBooker plugin if appointment booking is non-essential (side effect: booking functionality offline); alternatively, restrict access to the WordPress admin-ajax.php and /wp-json/ endpoints exposed by the plugin using a WAF rule or Patchstack/Wordfence virtual patch, accepting that broad rules may block legitimate AJAX traffic for other plugins. Disabling unauthenticated REST API access site-wide is another option but will break logged-out features of other plugins and themes.
More in Truebooker
View allThe TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL
The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could a
TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing una
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36856
GHSA-cwvg-5ch6-2hq6