CVE-2026-1797
Sensitive Information Exposure in Truebooker WordPress Plugin
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | truebooker | to 1.1.4 (inc) |
| wordfence | truebooker | 1.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Appointment Booking and Scheduler Plugin β Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.1.4. This vulnerability occurs through the plugin's views PHP files, which can be accessed directly by unauthenticated attackers.
Because of this, attackers can view potentially sensitive information contained in these exposed PHP files without needing to log in or have any privileges.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to access sensitive customer information managed by the plugin. Such information may include customer names, emails, phone numbers, and booking details.
Exposure of this data can lead to privacy breaches, unauthorized data disclosure, and potential misuse of personal information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable views PHP files of the Truebooker Appointment Booking and Scheduler Plugin are accessible without authentication. Specifically, an unauthenticated attacker can directly access these PHP files to view sensitive information.
To detect this on your system, you can attempt to access the views PHP files (such as truebooker-user.php) directly via HTTP requests and observe if sensitive data is exposed.
Example commands to test this might include using curl or wget to request the potentially vulnerable PHP files:
- curl -i http://your-wordpress-site/wp-content/plugins/truebooker-appointment-booking/views/truebooker-user.php
- wget --spider http://your-wordpress-site/wp-content/plugins/truebooker-appointment-booking/views/truebooker-user.php
If these commands return sensitive information or data related to customer records without requiring authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting direct access to the vulnerable views PHP files in the Truebooker plugin to prevent unauthenticated users from viewing sensitive information.
You can do this by implementing access controls such as:
- Configuring your web server (e.g., Apache or Nginx) to deny direct access to the views PHP files or the entire plugin directory.
- Adding authentication checks within the PHP files to ensure only authorized users can access the data.
- Updating the plugin to a version later than 1.1.4 if available, where this vulnerability is fixed.
Until an update is available, blocking access or restricting permissions on these files is critical to prevent sensitive information exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Appointment Booking and Scheduler Plugin β Truebooker for WordPress allows unauthenticated attackers to access potentially sensitive information via exposed views php files. This exposure of sensitive customer data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.
Since the plugin handles customer records including names, emails, phone numbers, and other personal details, unauthorized disclosure of this data may violate privacy and security requirements mandated by these standards.