CVE-2026-32432 in WP Time Slots Booking Form Plugin
Summary
by MITRE • 03/13/2026
Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.42.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2026-32432 represents a critical missing authorization flaw within the codepeople WP Time Slots Booking Form plugin for WordPress systems. This security weakness stems from incorrectly configured access control security levels that permit unauthorized users to exploit the booking form functionality without proper authentication. The vulnerability specifically impacts versions of the plugin ranging from the initial release through version 1.2.42, creating a substantial attack surface for malicious actors who can manipulate the booking system without legitimate credentials. The flaw essentially allows any user, regardless of their authentication status or role permissions, to access and potentially manipulate booking data through the plugin's interface.
The technical nature of this vulnerability aligns with CWE-285, which addresses improper authorization within software systems. This misconfiguration creates a direct pathway for privilege escalation attacks where unauthenticated users can perform actions typically restricted to authorized administrators or specific user roles. The plugin's access control mechanisms fail to properly validate user credentials or role-based permissions before allowing access to booking form functionalities, including viewing, modifying, or deleting booking records. Attackers can exploit this by directly accessing the plugin's endpoints or by manipulating API calls that should require authentication, potentially leading to data corruption, unauthorized bookings, or complete disruption of the booking system.
The operational impact of this vulnerability extends beyond simple unauthorized access, creating risks for businesses that rely on the booking system for critical operations. Organizations using the affected plugin could experience unauthorized bookings being made, booking data being modified or deleted, or sensitive information being exposed to unauthorized parties. This vulnerability particularly affects businesses in service industries that depend on accurate booking management, as attackers could manipulate availability schedules, double-book appointments, or access confidential customer information. The security implications are compounded by the fact that the vulnerability exists across multiple versions, meaning organizations with outdated plugin installations remain at risk even after updating other system components.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the authorization flaw, as developers typically release patches to resolve such issues. Organizations should implement comprehensive access control reviews to ensure that all plugin functionalities are properly secured, including the implementation of role-based access controls that restrict booking form access to authorized personnel only. Network-level security measures such as web application firewalls should be configured to monitor and restrict access patterns that might indicate exploitation attempts. Additionally, regular security audits of WordPress installations should include thorough checks of plugin configurations to identify and remediate similar authorization issues. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques where attackers leverage misconfigured access controls to gain unauthorized system access, making it essential for organizations to maintain robust security monitoring and incident response procedures to detect and respond to potential exploitation attempts.