CVE-2026-1919
Received Received - Intake
Unauthorized Access via Missing Capability Check in Booktics Plugin

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: Wordfence

Description
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1919
EUVD
EUVD-2026-10466
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
booktics booktics to 1.0.16 (inc)
booktics booktics 1.0.15
booktics booktics 1.0.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability in CVE-2026-1919 affects the Booktics WordPress plugin, specifically its REST API endpoints related to orders and appointments. The core issue is a missing or insufficient capability check on multiple REST API endpoints, allowing unauthenticated attackers to access sensitive data.'}, {'type': 'paragraph', 'content': "In particular, the order creation endpoint's permission callback always returns true, meaning any user, including unauthenticated ones, can create orders without proper authorization. This can lead to unauthorized data access and manipulation."}, {'type': 'paragraph', 'content': 'The vulnerability involves complex order and appointment validation logic that attempts to prevent invalid or overlapping bookings, but the lack of proper permission checks undermines these protections.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing unauthorized users to query sensitive data through the plugin's REST API endpoints without authentication."}, {'type': 'paragraph', 'content': 'Additionally, unauthorized attackers can create orders due to the always-true permission callback on the order creation endpoint, potentially leading to fraudulent bookings or manipulation of appointment schedules.'}, {'type': 'paragraph', 'content': 'Such unauthorized access and manipulation can disrupt business operations, cause data integrity issues, and expose private customer or appointment information.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-1919 involves missing capability checks on multiple REST API endpoints of the Booktics WordPress plugin, specifically under the namespace 'booktics/v1' and routes such as 'orders' and 'appointments'. Detection can focus on monitoring unauthorized or unauthenticated access attempts to these REST API endpoints."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the following REST API endpoints:'}, {'type': 'list_item', 'content': 'POST, GET, PUT/PATCH, DELETE requests to /wp-json/booktics/v1/orders'}, {'type': 'list_item', 'content': 'GET, POST, PUT/PATCH, DELETE requests to /wp-json/booktics/v1/appointments and related subroutes'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include using command-line tools like curl or monitoring web server logs for unauthenticated access to these endpoints.'}, {'type': 'list_item', 'content': 'Example curl command to test access without authentication: curl -X GET https://yourdomain.com/wp-json/booktics/v1/orders'}, {'type': 'list_item', 'content': "Example grep command to search web server logs for access to vulnerable endpoints: grep '/wp-json/booktics/v1/orders' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep '/wp-json/booktics/v1/appointments' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected POST requests creating orders or appointments without proper authentication can indicate exploitation attempts.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps for CVE-2026-1919 involve restricting unauthorized access to the vulnerable REST API endpoints in the Booktics plugin.

  • Update the Booktics plugin to version 1.0.17 or later, which includes comprehensive fixes addressing this vulnerability.
  • If updating is not immediately possible, restrict access to the REST API endpoints related to Booktics (e.g., /wp-json/booktics/v1/orders and /wp-json/booktics/v1/appointments) via web server configuration or firewall rules to allow only authenticated or trusted users.
  • Implement additional authentication or capability checks on the REST API endpoints to prevent unauthenticated users from accessing or creating orders and appointments.
  • Monitor logs for suspicious activity targeting these endpoints and respond accordingly.

These steps help prevent unauthorized data access and order creation until the plugin is fully patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1919. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart