CVE-2026-1919: CWE-306 Missing Authentication for Critical Function in arraytics Booktics – Booking Calendar for Appointments and Service Businesses
CVE-2026-1919 is a medium severity vulnerability in the Booktics WordPress plugin that allows unauthenticated attackers to access sensitive data via multiple REST API endpoints due to missing authentication checks. This affects all versions up to and including 1. 0. 16. The vulnerability does not allow data modification or system disruption but exposes confidential information, posing privacy and data leakage risks. Exploitation requires no user interaction or privileges and can be performed remotely over the network. No known exploits are currently reported in the wild. Organizations using this plugin for appointment and service bookings should prioritize patching or applying mitigations to prevent unauthorized data disclosure. Countries with significant WordPress usage and e-commerce or service industries relying on this plugin are at higher risk. Mitigation involves implementing strict capability checks on REST API endpoints and monitoring for suspicious API access patterns.
AI Analysis
Technical Summary
CVE-2026-1919 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting the Booktics – Booking Calendar for Appointments and Service Businesses plugin for WordPress, developed by arraytics. The flaw exists in all versions up to 1.0.16, where multiple REST API endpoints lack proper capability checks, allowing unauthenticated attackers to query sensitive data without any authentication or authorization. The vulnerability is remotely exploitable over the network without requiring user interaction or privileges, making it accessible to any attacker aware of the endpoints. The exposed data could include booking details, customer information, or other sensitive business data managed by the plugin. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of enforcing authentication and authorization checks on all REST API endpoints in WordPress plugins, especially those handling sensitive business data.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of sensitive data managed by the Booktics plugin, such as customer appointments, personal information, and business scheduling details. This can lead to privacy violations, reputational damage, and potential regulatory compliance issues for affected organizations. Although the vulnerability does not allow data modification or denial of service, the exposure of confidential information can facilitate further targeted attacks, social engineering, or competitive intelligence gathering. Organizations relying on this plugin for managing appointments and services are at risk of data leakage, which could undermine customer trust and business operations. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic scanning and data harvesting by attackers.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Booktics plugin to a version that includes proper capability checks on all REST API endpoints once available. Until a patch is released, administrators should consider disabling the plugin or restricting access to the REST API endpoints via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. Implementing strict authentication and authorization mechanisms for all API endpoints is critical. Monitoring and logging REST API access patterns can help detect suspicious activity indicative of exploitation attempts. Additionally, organizations should review and minimize the exposure of sensitive data through APIs and apply the principle of least privilege in plugin configurations. Regular security assessments and plugin audits are recommended to identify similar issues proactively.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Japan, Netherlands
CVE-2026-1919: CWE-306 Missing Authentication for Critical Function in arraytics Booktics – Booking Calendar for Appointments and Service Businesses
Description
CVE-2026-1919 is a medium severity vulnerability in the Booktics WordPress plugin that allows unauthenticated attackers to access sensitive data via multiple REST API endpoints due to missing authentication checks. This affects all versions up to and including 1. 0. 16. The vulnerability does not allow data modification or system disruption but exposes confidential information, posing privacy and data leakage risks. Exploitation requires no user interaction or privileges and can be performed remotely over the network. No known exploits are currently reported in the wild. Organizations using this plugin for appointment and service bookings should prioritize patching or applying mitigations to prevent unauthorized data disclosure. Countries with significant WordPress usage and e-commerce or service industries relying on this plugin are at higher risk. Mitigation involves implementing strict capability checks on REST API endpoints and monitoring for suspicious API access patterns.
AI-Powered Analysis
Technical Analysis
CVE-2026-1919 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting the Booktics – Booking Calendar for Appointments and Service Businesses plugin for WordPress, developed by arraytics. The flaw exists in all versions up to 1.0.16, where multiple REST API endpoints lack proper capability checks, allowing unauthenticated attackers to query sensitive data without any authentication or authorization. The vulnerability is remotely exploitable over the network without requiring user interaction or privileges, making it accessible to any attacker aware of the endpoints. The exposed data could include booking details, customer information, or other sensitive business data managed by the plugin. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of enforcing authentication and authorization checks on all REST API endpoints in WordPress plugins, especially those handling sensitive business data.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of sensitive data managed by the Booktics plugin, such as customer appointments, personal information, and business scheduling details. This can lead to privacy violations, reputational damage, and potential regulatory compliance issues for affected organizations. Although the vulnerability does not allow data modification or denial of service, the exposure of confidential information can facilitate further targeted attacks, social engineering, or competitive intelligence gathering. Organizations relying on this plugin for managing appointments and services are at risk of data leakage, which could undermine customer trust and business operations. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic scanning and data harvesting by attackers.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately update the Booktics plugin to a version that includes proper capability checks on all REST API endpoints once available. Until a patch is released, administrators should consider disabling the plugin or restricting access to the REST API endpoints via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. Implementing strict authentication and authorization mechanisms for all API endpoints is critical. Monitoring and logging REST API access patterns can help detect suspicious activity indicative of exploitation attempts. Additionally, organizations should review and minimize the exposure of sensitive data through APIs and apply the principle of least privilege in plugin configurations. Regular security assessments and plugin audits are recommended to identify similar issues proactively.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-04T16:38:59.005Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69af86aaea502d3aa8f4fe7c
Added to database: 3/10/2026, 2:49:14 AM
Last enriched: 3/10/2026, 3:03:49 AM
Last updated: 3/10/2026, 5:06:00 AM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.