Description
Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.39.
Published: 2025-12-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a missing authorization check in the WordPress WP Time Slots Booking Form plugin. Because the plugin’s access control levels are incorrectly configured, an attacker can reach protected booking functions that should only be available to authenticated users. This flaw allows unauthorized creation, modification, or deletion of booking entries, potentially corrupting event schedules and exposing sensitive information. This flaw is a CWE‑862 (Missing Authorization) vulnerability.

Affected Systems

All releases of the WordPress WP Time Slots Booking Form plugin from codepeople up to and including version 1.2.39 are affected. This issue is present in every earlier version since the product’s initial release. Users running any of these versions should assume the vulnerability exists.

Risk and Exploitability

The CVSS base score of 6.5 signals moderate severity. The EPSS value of less than 1% indicates a low probability that this flaw will be exploited in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to send requests to the plugin’s booking endpoints, which are publicly accessible on the WordPress site. While the risk of exploitation is not high, the impact on data integrity justifies prompt remediation.

Generated by OpenCVE AI on April 29, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the most recent version of the WP Time Slots Booking Form plugin (any version newer than 1.2.39) to apply the vendor’s fix for missing authorization (CWE‑862).
  • Verify that access control settings in the plugin are configured to restrict booking management functions to users with the appropriate role (e.g., administrator or editor) and disable direct access for other roles.
  • Deploy a web application firewall rule or .htaccess restriction that limits HTTP requests to the booking endpoint URLs to authenticated users only, thereby providing a temporary protection if the plugin upgrade is delayed.

Generated by OpenCVE AI on April 29, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.38. Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.39.
Title WordPress WP Time Slots Booking Form plugin <= 1.2.38 - Broken Access Control vulnerability WordPress WP Time Slots Booking Form plugin <= 1.2.39 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople wp Time Slots Booking Form
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople wp Time Slots Booking Form
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.38.
Title WordPress WP Time Slots Booking Form plugin <= 1.2.38 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Codepeople Wp Time Slots Booking Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.612Z

Reserved: 2025-12-19T10:17:28.557Z

Link: CVE-2025-68569

cve-icon Vulnrichment

Updated: 2025-12-24T18:52:40.905Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:23.833

Modified: 2026-04-27T19:16:31.503

Link: CVE-2025-68569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses