Description
Unauthenticated Cross Site Request Forgery (CSRF) in Booked <= 3.0.0 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to forge requests that the Booked plugin will process, which can lead to unintentional changes in booking records. Because the plugin accepts the request without verifying the caller’s identity, an attacker could potentially alter or expose booking data that a legitimate user has created.

Affected Systems

ThemeREX Booked plugin up to and including version 3.0.0 are affected. No higher version information is provided.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trick a victim’s browser into sending a forged request—such as through a malicious link or form—using the victim’s authenticated session to perform the action.

Generated by OpenCVE AI on July 3, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booked plugin to the latest version released by ThemeREX.
  • If an update cannot be applied immediately, temporarily disable or uninstall the plugin to eliminate the vulnerable code from the site.
  • Review booking records and audit site logs for signs of unauthorized activity while the plugin remains in use.

Generated by OpenCVE AI on July 3, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Booked <= 3.0.0 versions.
Title WordPress Booked plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:45:54.787Z

Reserved: 2026-06-25T08:04:34.979Z

Link: CVE-2026-57747

cve-icon Vulnrichment

Updated: 2026-07-02T19:45:49.826Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T18:15:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)