Skip to main content

Appointment Booking Plugin EUVDEUVD-2026-44871

| CVE-2026-11866 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-16 WPScan GHSA-fhhf-9f5f-hv7p
5.4
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Attacker needs no account (PR:N), victim admin must interact (UI:R); impact limited to config integrity and payment-gateway availability, no data disclosure.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jul 16, 2026 - 16:26 vuln.today
CVSS changed
Jul 16, 2026 - 16:22 NVD
5.4 (MEDIUM)
Patch available
Jul 16, 2026 - 10:18 EUVD
CVE Published
Jul 16, 2026 - 06:00 cve.org
MEDIUM 5.4
CVE Published
Jul 16, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.

AnalysisAI

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site with plugin
Delivery
Craft CSRF payload targeting dispatcher endpoint
Exploit
Deliver malicious link to administrator via phishing
Execution
Admin loads attacker page while session is active
Persist
Browser submits forged request with session cookie
Impact
Plugin overwrites booking config or disconnects payment gateway

Vulnerability AssessmentAI

Exploitation Exploitation requires that a WordPress administrator with an active, authenticated session visits an attacker-controlled page or clicks a crafted link while logged in to the WordPress backend. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) scores 5.4 (Medium), reflecting that exploitation requires user interaction (an admin must visit the attacker's page) but imposes no authentication burden on the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a webpage containing a hidden HTML form or JavaScript fetch that targets the plugin's dispatcher endpoint with parameters that overwrite the booking-form configuration or disconnect the payment gateway. The attacker then lures a WordPress site administrator - via phishing email or a malicious comment link - into loading that page while their admin session is active. …
Remediation The vendor-released patch is version 5.6.3 of the Appointment Booking Plugin; administrators should update immediately via the WordPress plugin dashboard or by downloading from the official repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy