Truebooker
Monthly
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.
The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.
The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.