CVE-2026-9180 in MotoPress Appointment Booking Plugin
Summary
by MITRE • 07/03/2026
The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `'permission_callback' => '__return_true'`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability represents a critical authorization bypass flaw in the MotoPress Appointment Booking WordPress plugin affecting versions up to 2.4.4. The issue stems from improper access control implementation within the REST API endpoints, specifically targeting the booking management functionality. The core technical flaw exists in how the plugin handles user authentication and authorization checks for booking operations, creating a pathway for unauthorized manipulation of booking data. The vulnerability manifests through a combination of insecure permissions configuration and inadequate input validation mechanisms that fail to properly verify user ownership or rights before processing booking modifications.
The technical exploitation occurs through a well-structured attack chain involving multiple API endpoints and data handling processes. The REST endpoint at POST /motopress/appointment/v1/bookings is configured with 'permission_callback' => '__return_true' which effectively disables authentication requirements, allowing any unauthenticated user to submit booking requests. The BookingsRestController.php file contains a createBooking handler that accepts attacker-controlled payment_details.booking_id values without proper authorization verification. When processing these requests, the system loads existing booking objects using findById() method without validating whether the requesting user has legitimate access rights to modify that specific booking, creating a classic authorization bypass scenario.
The operational impact of this vulnerability extends beyond simple data modification to encompass potential customer data compromise and service disruption. Attackers can overwrite critical customer information including names, email addresses, phone numbers, and customer IDs for any pending or auto-draft bookings within the system. This manipulation occurs without requiring authentication credentials or legitimate user privileges, making the attack surface particularly dangerous for businesses relying on appointment booking systems. The vulnerability specifically targets non-confirmed bookings, which typically represent pending reservations that have not yet been finalized, making these records particularly valuable targets for attackers seeking to disrupt service or harvest customer information.
The exploitation process demonstrates sophisticated reconnaissance capabilities allowing attackers to identify valid target booking IDs through the publicly accessible GET /motopress/appointment/v1/bookings/reservations endpoint. This endpoint enables unauthenticated enumeration of available bookings by using guessable service_id values and date ranges, providing attackers with a systematic approach to discovering vulnerable records. The attack requires only basic knowledge of the system's API structure and timing information, making it particularly dangerous as it can be automated and scaled across multiple booking systems. The requirement that bookings must not be in STATUS_CONFIRMED provides a clear targeting mechanism while also limiting the scope of exploitable records to those in transitional states.
From a cybersecurity perspective, this vulnerability aligns with CWE-863 (Authorization Bypass Through User-Controlled Key) and represents a common pattern of insecure direct object references combined with improper access control implementation. The attack follows typical adversary techniques from the MITRE ATT&CK framework, specifically leveraging initial access through public API endpoints to achieve privilege escalation and data manipulation objectives. Organizations should consider implementing proper rate limiting, authentication requirements, and input validation controls to prevent such unauthorized modifications. The vulnerability highlights the importance of comprehensive security testing for REST APIs, particularly in WordPress plugins where third-party components often introduce security gaps that can be exploited by threat actors seeking to compromise business operations and customer data integrity.
Mitigation strategies should focus on immediate patching of affected plugin versions along with implementation of proper access control mechanisms throughout the REST API endpoints. System administrators must ensure that all booking-related endpoints require appropriate authentication and authorization checks before processing any modifications to booking records. The plugin developers should modify the permission_callback configuration to enforce proper authentication requirements and implement robust input validation that verifies user ownership before allowing any booking modifications. Additionally, organizations should consider implementing monitoring solutions to detect unusual patterns of booking access and modification attempts, particularly targeting non-confirmed bookings that represent the most vulnerable state in the booking lifecycle.