CVE-2026-12393 in WPS Bookings for WooCommerce Plugininfo

Summary

by MITRE • 07/17/2026

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in WPS Bookings for WooCommerce plugin versions prior to 3.11.7 represents a critical authorization flaw that undermines the integrity of booking order management within WordPress e-commerce environments. This issue stems from insufficient access control mechanisms during the cancellation process, where the plugin fails to validate user permissions before executing destructive operations on booking orders. The flaw allows any authenticated user account, regardless of their role or privileges, to manipulate booking data belonging to other users within the same WordPress installation.

This authorization bypass vulnerability directly violates fundamental security principles and aligns with CWE-285, which addresses insufficient authorization in software systems. The technical implementation fails to perform proper user context verification when processing cancellation requests, meaning that the system does not cross-reference the requesting user's identity against the booking order's owner information. This creates a scenario where malicious or unauthorized users can exploit the plugin's API endpoints to cancel orders they should not have access to, potentially causing significant financial and operational damage to both merchants and legitimate customers.

The operational impact of this vulnerability extends beyond simple data manipulation, as it enables unauthorized order voiding that can result in revenue loss, customer service disruptions, and potential legal complications for businesses relying on accurate booking records. Attackers with subscriber-level privileges can systematically cancel bookings belonging to other customers, disrupting business operations and potentially causing cascading effects throughout the booking management system. This flaw particularly affects WooCommerce merchants who depend on WPS Bookings for managing reservations, appointments, or time-based services where order integrity is paramount.

From a threat modeling perspective, this vulnerability maps to ATT&CK technique T1078 which covers valid accounts usage and privilege escalation through unauthorized access to resources. The security implications are compounded by the fact that the vulnerability exists within a widely used WordPress plugin, making it an attractive target for automated exploitation campaigns. Organizations should implement immediate mitigations including updating to version 3.11.7 or later, reviewing user role permissions, and implementing additional monitoring controls around booking cancellation activities. The fix typically involves implementing proper access control checks that verify the requesting user's ownership of the booking order before permitting any modification operations, thereby ensuring that only authorized individuals can perform administrative actions on booking records.

Additional security measures should include logging all cancellation attempts with detailed audit trails, implementing rate limiting for booking operations to prevent mass cancellation attacks, and conducting regular security assessments of third-party plugins. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in web applications, particularly those handling financial transactions or reservation systems where unauthorized modifications can have significant consequences.

Responsible

WPScan

Reservation

06/16/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!