Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CSRF requires no attacker privileges (PR:N) and no special conditions (AC:L), but victim interaction is mandatory (UI:R); impact is purely availability with no confidentiality or integrity breach.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Booked <= 3.0.0 versions.
AnalysisAI
Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target user must be authenticated to the WordPress site (holding an active session cookie with sufficient privileges to perform the targeted Booked plugin action) at the time they visit the attacker-controlled page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 Medium with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H reflects a network-reachable attack requiring no privileges to stage (PR:N) but mandating victim interaction (UI:R), which meaningfully limits exploitation compared to fully passive vectors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious webpage containing hidden HTML forms or JavaScript that automatically submits forged HTTP requests to the target WordPress site's Booked plugin endpoints. When an authenticated WordPress administrator or editor visits the attacker's page - via phishing email, social media link, or malvertising - their browser silently sends the forged request using their active session cookies, causing the plugin to execute the destructive action (such as deleting all appointments) without any CSRF token validation rejecting it. |
| Remediation | The primary remediation is to update the Booked plugin beyond version 3.0.0 as soon as a patched release is available from Themerex or the WordPress plugin repository; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability should be monitored for the confirmed fixed version, which was not independently confirmed at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitra
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-pr
Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41303
GHSA-4438-c9gx-hx64