Description
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Smart Appointment & Booking plugin for WordPress contains a missing capability check combined with a nonce validation bug in the cancel booking function. The code tests the nonce with an AND operator instead of OR, which effectively bypasses security when any nonce value is supplied. This flaw lets an unauthenticated attacker supply a predictable booking identifier and delete or alter that appointment, compromising data integrity and causing denial of service to legitimate users.

Affected Systems

All installations of the Smart Appointment & Booking plugin, version 1.0.8 or earlier, running on a WordPress site are vulnerable. The issue is confined to the cancel booking endpoint exposed by the plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a medium impact. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it directly via a crafted HTTP request to the plugin’s cancel action without authentication; the prerequisite is simply knowing a valid booking ID, which can be guessed or discovered through other means. The lack of access control makes this flaw easily exploitable in any unauthenticated environment.

Generated by OpenCVE AI on May 12, 2026 at 10:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Smart Appointment & Booking plugin to the latest patched release (≥1.0.9) which corrects the capability and nonce checks.
  • If an upgrade is delayed, block unauthenticated access to the cancel endpoint—configure WordPress roles to restrict the cancel capability or implement a firewall rule that prevents non‑logged‑in requests from reaching the cancel action.
  • For custom deployments, modify the saab_cancel_booking() function to include a proper capability check and replace the vulnerable AND comparison with a correct OR operation on the nonce validation.

Generated by OpenCVE AI on May 12, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zealopensource
Zealopensource smart Appointment & Booking
Vendors & Products Wordpress
Wordpress wordpress
Zealopensource
Zealopensource smart Appointment & Booking

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.
Title Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Zealopensource Smart Appointment & Booking
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:47:37.797Z

Reserved: 2026-04-06T11:20:41.603Z

Link: CVE-2026-5693

cve-icon Vulnrichment

Updated: 2026-05-12T12:47:34.077Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:54.953

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-5693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:39:31Z

Weaknesses