CVE-2026-9180
Received Received - Intake

Authorization Bypass in MotoPress Appointment Booking Plugin

Vulnerability report for CVE-2026-9180, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Wordfence

Description

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `'permission_callback' => '__return_true'`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
motopress appointment_booking to 2.4.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include updating the MotoPress Appointment Booking plugin to a version later than 2.4.4 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the vulnerable REST endpoints by implementing authentication or IP-based access controls to prevent unauthenticated users from accessing the /motopress/appointment/v1/bookings and /motopress/appointment/v1/bookings/reservations endpoints.

Additionally, monitor logs for suspicious POST requests to the vulnerable endpoints and consider temporarily disabling the plugin if exploitation is suspected.

Executive Summary

The MotoPress Appointment Booking plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key in all versions up to 2.4.4. This happens because the REST endpoint for creating bookings allows unauthenticated access due to a permission callback that always returns true.

An attacker can supply a booking ID in the payment details that the system uses to load an existing booking without verifying if the attacker owns or has rights to that booking. This lets the attacker overwrite customer information like name, email, phone number, and customer ID on any non-confirmed booking.

Booking IDs can be found without authentication by querying a public endpoint with a guessable service ID and date range, targeting bookings that are pending or in auto-draft status.

Impact Analysis

This vulnerability allows unauthenticated attackers to modify customer information on existing non-confirmed bookings. This could lead to data integrity issues, unauthorized changes to booking details, and potential confusion or disruption of appointment scheduling.

Since attackers can overwrite customer contact details, it may also result in privacy violations or misuse of customer data.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unauthenticated POST requests to the REST endpoint /motopress/appointment/v1/bookings. Since the endpoint allows unauthenticated access, suspicious activity may include POST requests that attempt to modify booking data without proper authentication.

To detect potential exploitation attempts, you can look for POST requests to the endpoint with unusual or empty reservation items and attacker-supplied booking_id values.

Example commands to detect such activity in web server logs might include:

  • Using grep to find POST requests to the vulnerable endpoint: grep 'POST /motopress/appointment/v1/bookings' /var/log/apache2/access.log
  • Using curl to test if the endpoint is accessible without authentication: curl -X POST https://yourdomain.com/motopress/appointment/v1/bookings -d '{}'
  • Querying the GET /motopress/appointment/v1/bookings/reservations endpoint with guessable service_id and date range to enumerate booking IDs: curl 'https://yourdomain.com/motopress/appointment/v1/bookings/reservations?service_id=1&start_date=2026-01-01&end_date=2026-12-31'

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart