CVE-2026-1932
BaseFortify
Publication date: 2026-02-14
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bookr | bookr | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Appointment Booking Calendar Plugin β Bookr plugin for WordPress has a vulnerability due to a missing capability check on the update-appointment REST API endpoint in all versions up to and including 1.0.2.
This means that unauthenticated attackers can modify the status of any appointment without proper authorization.
Specifically, the updateAppointment endpoint does not enforce permission checks, allowing unauthorized users to change appointment data.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify appointment statuses, which can lead to unauthorized changes in booking data.
Potential impacts include disruption of appointment schedules, manipulation of booking information, and loss of trust from users relying on accurate appointment data.
Since attackers can change appointment statuses without authentication, this could also lead to confusion, missed appointments, or fraudulent acceptance or rejection of bookings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of appointment data via the update-appointment REST API endpoint without proper capability checks. To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the REST API endpoint related to appointment updates.'}, {'type': 'list_item', 'content': 'Look for HTTP PUT requests to the endpoint path similar to: /wp-json/bookr/v1/update-appointment'}, {'type': 'list_item', 'content': 'Check web server access logs for unusual or unauthenticated PUT requests to this endpoint.'}, {'type': 'list_item', 'content': 'Use command-line tools like curl to test if the endpoint allows unauthenticated updates, for example:'}, {'type': 'list_item', 'content': 'curl -X PUT https://yourwordpresssite.com/wp-json/bookr/v1/update-appointment -d \'{"appointment_id":1,"status":"confirmed"}\' -H "Content-Type: application/json"'}, {'type': 'list_item', 'content': 'Use tools like grep or awk to filter logs for suspicious REST API calls, e.g.:'}, {'type': 'list_item', 'content': "grep 'PUT /wp-json/bookr/v1/update-appointment' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitor for unexpected changes in appointment statuses or data in the WordPress database.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Restrict access to the update-appointment REST API endpoint by implementing proper capability checks or authentication.
- Update the Bookr plugin to a version that includes the fix for this vulnerability once it is released.
- If an update is not yet available, consider temporarily disabling the Bookr plugin or blocking REST API calls to the vulnerable endpoint via web server rules or firewall.
- Monitor logs for suspicious activity targeting the update-appointment endpoint and investigate any unauthorized changes.
- Ensure that your WordPress installation and all plugins are kept up to date to reduce exposure to known vulnerabilities.