TrueBooker – Appointment Booking and Scheduler System <= 1.1.9 - Missing Authorization
Description
The TrueBooker – Appointment Booking and Scheduler System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.9What Changed in the Fix
Changes introduced in v1.2.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48881 ## 1. Vulnerability Summary The **TrueBooker – Appointment Booking and Scheduler System** plugin (<= 1.1.9) contains a **Missing Authorization** vulnerability in its setup wizard AJAX handlers. The plugin registers several AJAX actions—most notably `tru…
Show full research plan
Exploitation Research Plan - CVE-2026-48881
1. Vulnerability Summary
The TrueBooker – Appointment Booking and Scheduler System plugin (<= 1.1.9) contains a Missing Authorization vulnerability in its setup wizard AJAX handlers. The plugin registers several AJAX actions—most notably truebooker_skip_wizard and potentially admin_setting_setup_data—without implementing sufficient capability checks (current_user_can()) or verifying nonces. This allows unauthenticated attackers to perform unauthorized administrative actions, such as skipping the plugin's configuration wizard or modifying plugin settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
truebooker_skip_wizard(Primary),admin_setting_setup_data(Secondary) - Method:
POST - Authentication: Unauthenticated (
PR:N) - Preconditions: The plugin must be active. The setup wizard is typically active on fresh installations.
- Vulnerable Parameter:
action=truebooker_skip_wizard
3. Code Flow
- Entry Point (Client): In
assets/js/setup_wizard.js, the#tb-skipbutton has a click event handler (line 64) that sends an unauthenticated AJAX request:jQuery('#tb-skip').on('click', function(e){ e.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.