CVE-2026-1431 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Booking Calendar plugin for WordPress, developed by wpdevelop. The issue arises from the absence of a capability check in the function wpbc_ajax_WPBC_FLEXTIMELINE_NAV(), which is responsible for handling AJAX requests related to booking timeline navigation. This flaw exists in all plugin versions up to and including 10.14.13. Because the function lacks proper authorization validation, unauthenticated attackers can invoke it to retrieve booking information without any credentials or user interaction. The exposed data includes sensitive customer details such as names, phone numbers, and email addresses, which can be leveraged for identity theft, phishing, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level due to its network exploitability and confidentiality impact, but no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all deployments of the Booking Calendar plugin up to version 10.14.13, which is widely used in WordPress sites globally, especially those managing appointments and bookings. The missing authorization check represents a critical lapse in access control, emphasizing the need for plugin developers to enforce strict capability validations on sensitive AJAX endpoints.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive customer booking information, including personally identifiable information (PII) such as names, phone numbers, and email addresses. This data exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Attackers could use the stolen data for targeted phishing campaigns, social engineering, or identity theft. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach alone can have significant consequences, especially for businesses relying on customer trust. Since the exploit requires no authentication or user interaction, the attack surface is broad, making any vulnerable site accessible to remote attackers. Organizations running Booking Calendar on public-facing WordPress sites are at risk, particularly those in sectors like healthcare, hospitality, and professional services where booking data is sensitive. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as details become more widely known.

Organizations should immediately verify if they use the Booking Calendar plugin and identify the plugin version. Since no official patch links are currently available, administrators should consider the following mitigations: 1) Temporarily disable or restrict access to the vulnerable AJAX endpoint (wpbc_ajax_WPBC_FLEXTIMELINE_NAV) via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 2) Limit plugin usage to trusted administrators only or restrict plugin access to internal networks if feasible. 3) Monitor web server logs for suspicious access patterns targeting the AJAX function to detect potential exploitation attempts. 4) Contact the plugin vendor (wpdevelop) for updates or patches addressing the missing authorization check. 5) Implement strict least-privilege principles for WordPress user roles to minimize exposure. 6) Consider alternative booking plugins with verified security if a timely patch is not forthcoming. 7) Educate site administrators on the importance of timely plugin updates and security best practices. These targeted mitigations go beyond generic advice by focusing on blocking the specific vulnerable function and monitoring for exploitation attempts.