Description
The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized viewing and modification of appointment booking data
Action: Immediate Patch
AI Analysis

Impact

The Timetics Appointment Booking & Scheduling plugin has a missing capability check in its update and register_routes functions in all releases up to 1.0.36. This omission allows anyone who can send a request to the plugin’s REST API endpoints to retrieve and edit booking details without authenticating, effectively exposing sensitive customer data and enabling tampering with scheduled appointments.

Affected Systems

The vulnerability affects the WP Timetics plugin developed by arraytics, covering all versions 1.0.36 and earlier. Users running any of these releases on their WordPress sites are potentially exposed.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, while an EPSS score below 1% suggests a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, and no public exploit has been reported. Likely attack vectors involve direct REST API calls to the plugin’s endpoints, where the missing capability check allows unauthenticated access to booking data.

Generated by OpenCVE AI on April 20, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Timetics plugin to version 1.0.37 or later, where the capability checks have been added
  • If upgrading immediately is not possible, temporarily block or restrict the plugin’s REST API routes to authenticated users through WordPress role settings or custom code
  • Continuously monitor site logs for anomalous booking access patterns that may indicate exploitation attempts

Generated by OpenCVE AI on April 20, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics appointment Booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics appointment Booking Calendar
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.
Title Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Arraytics Appointment Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:57.217Z

Reserved: 2025-06-09T10:11:13.131Z

Link: CVE-2025-5919

cve-icon Vulnrichment

Updated: 2026-01-06T14:27:42.066Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T09:15:54.670

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses