Description
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.0.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TrueBooker WordPress plugin suffers from a missing authorization flaw that allows attackers to bypass the configured security levels and interact with sensitive admin functionality. The flaw can enable unauthorized users to access or modify booking data, schedule appointments, or perform privileged operations normally reserved for administrators. This weakness is classified as CWE‑862 and results in unauthorized access, potentially compromising confidentiality, integrity, and availability of booking information.

Affected Systems

The vulnerability affects the WordPress TrueBooker appointment‑booking plugin from unidentified versions through 1.1.0. Any WordPress site employing TrueBooker 1.1.0 or earlier is potentially exposed.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is less than 1%, suggesting low to very low projected exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by hitting exposed endpoints of the plugin without proper authorization checks; the attack requires only knowledge of the plugin’s administration paths and does not depend on user credentials. Given the lack of publicly available exploitation code and the low EPSS, the risk remains moderate but should not be ignored.

Generated by OpenCVE AI on April 29, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TrueBooker plugin to a version newer than 1.1.0 once it is released or replace the plugin with a safer alternative.
  • If upgrading is not feasible, restrict access to the plugin’s administrative pages by enforcing role‑based permissions, ensuring that only users with the appropriate capability (e.g., administrator or staff) can perform booking‑management actions.
  • Verify that authentication checks are in place on all plugin entry points, and apply a patch to eliminate the missing authorization logic if available.
  • Monitor logs for attempts to access booking admin functions from unauthorized users and investigate any abnormal activity.

Generated by OpenCVE AI on April 29, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Themetechmount
Themetechmount truebooker
Wordpress
Wordpress wordpress
Vendors & Products Themetechmount
Themetechmount truebooker
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.0.
Title WordPress TrueBooker plugin <= 1.1.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themetechmount Truebooker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:21.958Z

Reserved: 2025-12-09T12:21:34.120Z

Link: CVE-2025-67581

cve-icon Vulnrichment

Updated: 2025-12-09T20:33:50.395Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:35.850

Modified: 2026-04-27T18:16:44.450

Link: CVE-2025-67581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses