CVE-2026-1919
Unauthorized Access via Missing Capability Check in Booktics Plugin
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| booktics | booktics | to 1.0.16 (inc) |
| booktics | booktics | 1.0.15 |
| booktics | booktics | 1.0.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The vulnerability in CVE-2026-1919 affects the Booktics WordPress plugin, specifically its REST API endpoints related to orders and appointments. The core issue is a missing or insufficient capability check on multiple REST API endpoints, allowing unauthenticated attackers to access sensitive data.'}, {'type': 'paragraph', 'content': "In particular, the order creation endpoint's permission callback always returns true, meaning any user, including unauthenticated ones, can create orders without proper authorization. This can lead to unauthorized data access and manipulation."}, {'type': 'paragraph', 'content': 'The vulnerability involves complex order and appointment validation logic that attempts to prevent invalid or overlapping bookings, but the lack of proper permission checks undermines these protections.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing unauthorized users to query sensitive data through the plugin's REST API endpoints without authentication."}, {'type': 'paragraph', 'content': 'Additionally, unauthorized attackers can create orders due to the always-true permission callback on the order creation endpoint, potentially leading to fraudulent bookings or manipulation of appointment schedules.'}, {'type': 'paragraph', 'content': 'Such unauthorized access and manipulation can disrupt business operations, cause data integrity issues, and expose private customer or appointment information.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-1919 involves missing capability checks on multiple REST API endpoints of the Booktics WordPress plugin, specifically under the namespace 'booktics/v1' and routes such as 'orders' and 'appointments'. Detection can focus on monitoring unauthorized or unauthenticated access attempts to these REST API endpoints."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the following REST API endpoints:'}, {'type': 'list_item', 'content': 'POST, GET, PUT/PATCH, DELETE requests to /wp-json/booktics/v1/orders'}, {'type': 'list_item', 'content': 'GET, POST, PUT/PATCH, DELETE requests to /wp-json/booktics/v1/appointments and related subroutes'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include using command-line tools like curl or monitoring web server logs for unauthenticated access to these endpoints.'}, {'type': 'list_item', 'content': 'Example curl command to test access without authentication: curl -X GET https://yourdomain.com/wp-json/booktics/v1/orders'}, {'type': 'list_item', 'content': "Example grep command to search web server logs for access to vulnerable endpoints: grep '/wp-json/booktics/v1/orders' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep '/wp-json/booktics/v1/appointments' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected POST requests creating orders or appointments without proper authentication can indicate exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-1919 involve restricting unauthorized access to the vulnerable REST API endpoints in the Booktics plugin.
- Update the Booktics plugin to version 1.0.17 or later, which includes comprehensive fixes addressing this vulnerability.
- If updating is not immediately possible, restrict access to the REST API endpoints related to Booktics (e.g., /wp-json/booktics/v1/orders and /wp-json/booktics/v1/appointments) via web server configuration or firewall rules to allow only authenticated or trusted users.
- Implement additional authentication or capability checks on the REST API endpoints to prevent unauthenticated users from accessing or creating orders and appointments.
- Monitor logs for suspicious activity targeting these endpoints and respond accordingly.
These steps help prevent unauthorized data access and order creation until the plugin is fully patched.