CVE-2026-1920

MEDIUM

Booking Calendar for Appointments 1.0.16 - Auth Bypass

Title source: llm
STIX 2.1

Description

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.

References (3)

Scores

CVSS v3 5.3
EPSS 0.0007
EPSS Percentile 20.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-306
Status published
Products (1)
arraytics/Booktics – Booking Calendar for Appointments and Service Businesses < 1.0.16
Published Mar 10, 2026
Tracked Since Mar 11, 2026