Description
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows unauthenticated users to directly access view PHP files within the Truebooker plugin. These files can contain sensitive booking and user information, making it possible to read data that should be protected. The weakness is classified as Missing Authorization, as the plugin fails to enforce proper access controls on these files.

Affected Systems

All installations of the Truebooker – Appointment Booking and Scheduler System with versions up to and including 1.1.4 are impacted. The issue stems from the views directory within the plugin, where PHP files are exposed to web access. Users of older WordPress sites running this plugin version should review their configurations for potential data exposure.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability that does not involve code execution or privilege escalation, but it carries confidentiality risk. Exploitation is straightforward: attackers simply request the exposed PHP file URLs, which triggers the disclosure. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Overall, this vulnerability is easy to exploit and should be mitigated promptly.

Generated by OpenCVE AI on March 31, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Truebooker plugin to the latest available version (>=1.1.5) to remove the exposed view files.

Generated by OpenCVE AI on March 31, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themetechmount
Themetechmount truebooker-appointment-booking
Wordpress
Wordpress wordpress
Vendors & Products Themetechmount
Themetechmount truebooker-appointment-booking
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
Title Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Themetechmount Truebooker-appointment-booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:51.528Z

Reserved: 2026-02-03T10:00:39.307Z

Link: CVE-2026-1797

cve-icon Vulnrichment

Updated: 2026-03-31T13:49:08.389Z

cve-icon NVD

Status : Deferred

Published: 2026-03-31T05:16:10.867

Modified: 2026-04-24T18:11:16.583

Link: CVE-2026-1797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:31Z

Weaknesses