CVE-2026-48881

TrueBooker – Appointment Booking and Scheduler System <= 1.1.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.0
Patched in
7d
Time to patch

Description

The TrueBooker – Appointment Booking and Scheduler System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.9
PublishedJune 2, 2026
Last updatedJune 8, 2026

What Changed in the Fix

Changes introduced in v1.2.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-48881 ## 1. Vulnerability Summary The **TrueBooker – Appointment Booking and Scheduler System** plugin (<= 1.1.9) contains a **Missing Authorization** vulnerability in its setup wizard AJAX handlers. The plugin registers several AJAX actions—most notably `tru…

Show full research plan

Exploitation Research Plan - CVE-2026-48881

1. Vulnerability Summary

The TrueBooker – Appointment Booking and Scheduler System plugin (<= 1.1.9) contains a Missing Authorization vulnerability in its setup wizard AJAX handlers. The plugin registers several AJAX actions—most notably truebooker_skip_wizard and potentially admin_setting_setup_data—without implementing sufficient capability checks (current_user_can()) or verifying nonces. This allows unauthenticated attackers to perform unauthorized administrative actions, such as skipping the plugin's configuration wizard or modifying plugin settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: truebooker_skip_wizard (Primary), admin_setting_setup_data (Secondary)
  • Method: POST
  • Authentication: Unauthenticated (PR:N)
  • Preconditions: The plugin must be active. The setup wizard is typically active on fresh installations.
  • Vulnerable Parameter: action=truebooker_skip_wizard

3. Code Flow

  1. Entry Point (Client): In assets/js/setup_wizard.js, the #tb-skip button has a click event handler (line 64) that sends an unauthenticated AJAX request:
    jQuery('#tb-skip').on('click', function(e){
        e.
    

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.