Skip to main content

Truebooker

4 CVEs product

Monthly

CVE-2026-48881 CRITICAL Act Now

Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Truebooker
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-39663 MEDIUM This Month

TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.

Authentication Bypass Truebooker
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-6925 MEDIUM POC This Month

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Truebooker
NVD WPScan
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-6924 CRITICAL POC Act Now

The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Truebooker
NVD WPScan
CVSS 3.1
9.8
EPSS
3.3%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Truebooker
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.

Authentication Bypass Truebooker
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Truebooker
NVD WPScan
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Truebooker
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy