Description
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from a missing authorization check in the WordPress TrueBooker appointment‑booking plugin. The flaw allows an attacker to execute privileged operations or access data that should be restricted, potentially manipulating bookings, retrieving personal information, or otherwise altering the state of the system. The weakness is classified as CWE‑862, indicating that authorization is improperly enforced, leading to unauthorized privilege escalation or leakage of confidential data.

Affected Systems

WordPress sites that have installed the TrueBooker plugin from the vendor themetechmount. All releases up to and including version 1.1.5 are affected, while any version newer than 1.1.5 is assumed to contain the fix. Site owners must verify the plugin version and ensure they are not running an affected release.

Risk and Exploitability

Because the flaw permits actions without proper authentication, an attacker can exploit the web interface of the plugin, typically via HTTP requests to endpoints that assume a valid user session. No public exploit is documented and the EPSS score is currently unavailable, but the absence of a restriction makes the vulnerability potentially high impact. The vendor has not listed this issue in the CISA KEV catalog, indicating that it is not currently known to be exploited in the wild. Nonetheless, the lack of authorization results in a serious security risk for any site lacking additional controls.

Generated by OpenCVE AI on April 8, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TrueBooker plugin to the latest available version that resolves the broken access control flaw.
  • If an update is not possible, temporarily deactivate the plugin or remove it from the site until a fix can be applied.
  • Audit user role permissions to ensure no excessive privileges exist for booking‑related functions.
  • Apply any applicable WordPress core security hardening measures such as security plugins and regular patch management.

Generated by OpenCVE AI on April 8, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Themetechmount
Themetechmount truebooker
Wordpress
Wordpress wordpress
Vendors & Products Themetechmount
Themetechmount truebooker
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
Title WordPress TrueBooker plugin <= 1.1.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themetechmount Truebooker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:37.575Z

Reserved: 2026-04-07T10:57:59.670Z

Link: CVE-2026-39663

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:37.490

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:13Z

Weaknesses