CVE-2026-1919 in Booktics Plugin
Summary
by MITRE • 03/10/2026
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2026-1919 affects the Booktics plugin for WordPress, specifically targeting the Booking Calendar for Appointments and Service Businesses. This plugin is widely used by businesses to manage appointment scheduling and service bookings through WordPress websites. The security flaw manifests in the plugin's REST API implementation where critical endpoints lack proper capability validation checks. This missing authorization mechanism represents a fundamental breakdown in the plugin's security architecture, allowing malicious actors to exploit the system without requiring any authentication credentials or user privileges. The vulnerability exists across all versions of the plugin up to and including version 1.0.16, indicating a prolonged period during which the security gap remained unaddressed.
The technical nature of this vulnerability places it squarely within CWE-284, which describes improper access control mechanisms in software systems. The flaw occurs at the API endpoint level where the plugin fails to verify whether the requesting entity possesses the necessary permissions to access specific data resources. This missing capability check creates an unauthorized data access vector that can be exploited by attackers who simply need to know the endpoint URLs and construct appropriate API requests. The REST API endpoints in question likely handle sensitive information such as appointment bookings, customer details, service configurations, and scheduling data that would be valuable to cybercriminals. The absence of authentication requirements means that any attacker with knowledge of the plugin's API structure can retrieve this sensitive information, potentially leading to data breaches and privacy violations.
From an operational perspective, this vulnerability poses significant risks to businesses relying on the Booktics plugin for their appointment management needs. Unauthenticated attackers can exploit this weakness to harvest customer information, booking details, and service schedules, which could be used for various malicious purposes including identity theft, targeted phishing campaigns, or competitive intelligence gathering. The impact extends beyond simple data exposure as the compromised information could facilitate more sophisticated attacks such as social engineering attempts or even financial fraud. Organizations using this plugin without proper mitigations face potential regulatory compliance violations, especially if customer data is involved, as the unauthorized access directly contravenes data protection regulations like gdpr and ccpa. The vulnerability's persistence across multiple versions suggests that many installations may remain exposed for extended periods without detection, creating a substantial attack surface for threat actors.
The recommended mitigation strategy involves immediate plugin updates to versions that address the missing capability checks in the REST API endpoints. System administrators should prioritize patching their WordPress installations to ensure the latest security fixes are applied. Additionally, implementing network-level access controls and monitoring for unusual API activity can help detect potential exploitation attempts. Security professionals should consider restricting access to the plugin's REST API endpoints through firewall rules or web application firewalls when immediate updates are not possible. Organizations should also conduct thorough vulnerability assessments of their WordPress installations to identify other potentially affected plugins or components. The ATT&CK framework categorizes this type of vulnerability under T1071.004 for application layer protocol and T1566 for credential harvesting, emphasizing the need for comprehensive defensive measures that address both the immediate vulnerability and broader threat landscape. Regular security audits and maintaining up-to-date security practices remain essential for preventing similar access control failures in the future.