Skip to main content

Appointment Booking Plugin

1 CVEs product

Monthly

CVE-2026-11866 MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy