CVE-2026-1797 identifies a missing authorization vulnerability (CWE-862) in the Truebooker Appointment Booking and Scheduler plugin for WordPress developed by themetechmount. This vulnerability exists in all plugin versions up to 1.1.4 and allows unauthenticated attackers to access certain PHP view files directly via HTTP requests. These view files contain sensitive information that should normally be protected by access controls. Because the plugin fails to enforce proper authorization checks on these files, attackers can retrieve data without needing to authenticate or interact with the system. The vulnerability is classified as Sensitive Information Exposure, meaning confidentiality is impacted while integrity and availability remain unaffected. The CVSS 3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or fixes have been published yet, and no exploits have been observed in the wild. The vulnerability is significant for WordPress sites using Truebooker for appointment scheduling, as exposed data could include booking details or user information. The flaw stems from insecure direct object references or improper access control in the plugin’s PHP view files, a common issue in web applications that do not validate user permissions on resource access. Mitigation requires restricting direct access to these files, applying web server rules, or updating the plugin once a patch is available.

The primary impact of CVE-2026-1797 is the unauthorized disclosure of sensitive information from the Truebooker plugin’s PHP view files. This can lead to leakage of appointment details, user data, or configuration information that attackers could use for further attacks such as social engineering, targeted phishing, or reconnaissance. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can undermine user trust and violate data protection regulations. Organizations relying on Truebooker for managing appointments may face reputational damage and compliance risks if sensitive client or business information is exposed. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad. However, the lack of known exploits and the medium severity score indicate the threat is moderate but should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

To mitigate CVE-2026-1797, organizations should immediately implement access control restrictions on the vulnerable PHP view files within the Truebooker plugin. This can be done by configuring the web server (e.g., Apache .htaccess or Nginx rules) to deny direct HTTP access to these files or restrict access to authenticated users only. Additionally, administrators should monitor web server logs for suspicious requests targeting these files. Until an official patch is released by themetechmount, consider disabling or removing the plugin if it is not critical. Regularly check for updates from the vendor and apply patches promptly once available. Employing a Web Application Firewall (WAF) with custom rules to block unauthorized access attempts to plugin directories can provide an additional layer of defense. Finally, conduct security audits and penetration tests focusing on authorization controls in WordPress plugins to identify similar weaknesses.