Description
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized addon installation
Action: Update Plugin
AI Analysis

Impact

The Booktics plugin for WordPress fails to perform a capability check in the Extension_Controller::update_item_permissions_check function. This oversight allows any user that can reach the plugin's update endpoint to install addon plugins without authentication. Directing the endpoint to malicious addons could compromise the integrity of the WordPress site, leading to unauthorized data modifications or plugin execution.

Affected Systems

The issue affects all installations of the Booktics plugin version 1.0.16 or earlier, as distributed by Arraytics. WordPress sites using these plugin versions are vulnerable regardless of their site configuration, hosting environment, or active management plugins.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate risk. The EPSS score is below 1%, implying a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can communicate with the plugin’s update endpoint, which is generally available via the REST API or admin interface. Attackers do not need prior privileges, so once the endpoint is reachable, the flaw can be abused without further compromise.

Generated by OpenCVE AI on April 15, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booktics plugin to any version newer than 1.0.16 where the capability check has been added.
  • If an upgrade cannot be made immediately, configure the web server or firewall to prevent unauthenticated requests to the 'extension-controller.php' endpoint, ensuring that only authenticated administrators can trigger addon installations.
  • Continuously monitor WordPress logs for entries showing addon installation activity and audit plugin directories for unauthorized files.

Generated by OpenCVE AI on April 15, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics booktics – Booking Calendar For Appointments And Service Businesses
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics booktics – Booking Calendar For Appointments And Service Businesses
Wordpress
Wordpress wordpress

Tue, 10 Mar 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.
Title Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Arraytics Booktics – Booking Calendar For Appointments And Service Businesses
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:30.512Z

Reserved: 2026-02-04T16:46:32.006Z

Link: CVE-2026-1920

cve-icon Vulnrichment

Updated: 2026-03-10T15:58:06.280Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T17:32:46.630

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses