Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attacker needs no account (PR:N), victim admin must interact (UI:R); impact limited to config integrity and payment-gateway availability, no data disclosure.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.
AnalysisAI
Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a WordPress administrator with an active, authenticated session visits an attacker-controlled page or clicks a crafted link while logged in to the WordPress backend. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) scores 5.4 (Medium), reflecting that exploitation requires user interaction (an admin must visit the attacker's page) but imposes no authentication burden on the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a webpage containing a hidden HTML form or JavaScript fetch that targets the plugin's dispatcher endpoint with parameters that overwrite the booking-form configuration or disconnect the payment gateway. The attacker then lures a WordPress site administrator - via phishing email or a malicious comment link - into loading that page while their admin session is active. … |
| Remediation | The vendor-released patch is version 5.6.3 of the Appointment Booking Plugin; administrators should update immediately via the WordPress plugin dashboard or by downloading from the official repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44871
GHSA-fhhf-9f5f-hv7p