CVE-2026-1920 is a vulnerability identified in the Booktics – Booking Calendar for Appointments and Service Businesses WordPress plugin developed by arraytics. The issue stems from a missing capability check in the 'Extension_Controller::update_item_permissions_check' function, which is responsible for verifying whether a user has the necessary permissions to perform certain critical actions. Due to this missing authentication, unauthenticated attackers can remotely invoke this function to install addon plugins without any authorization. This vulnerability affects all versions of the plugin up to and including version 1.0.16. The lack of authentication checks means that no user privileges or interaction are required to exploit this flaw, making it accessible over the network with low attack complexity. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating a failure to enforce proper access controls on sensitive operations. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the impact on integrity (unauthorized modification of data) but no direct impact on confidentiality or availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild as of the publication date. However, the potential for unauthorized plugin installation could lead to further compromise if malicious addons are deployed, potentially escalating privileges or enabling persistent backdoors within affected WordPress sites.

The primary impact of CVE-2026-1920 is the unauthorized modification of data integrity within WordPress sites using the vulnerable Booktics plugin. Attackers can install addon plugins without authentication, which could lead to the deployment of malicious code, backdoors, or further exploitation of the hosting environment. This undermines the trustworthiness of the booking system, potentially disrupting business operations and damaging customer trust. While confidentiality and availability are not directly affected by this vulnerability, the installation of malicious addons could indirectly lead to data leakage or denial of service if exploited further. Organizations relying on Booktics for appointment scheduling and service management may face operational disruptions, reputational damage, and increased risk of broader compromise if attackers leverage this vulnerability as an initial foothold. The ease of exploitation and lack of required user interaction increase the likelihood of automated attacks targeting vulnerable sites.

To mitigate CVE-2026-1920, organizations should immediately verify if they are using the Booktics plugin version 1.0.16 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should restrict access to WordPress administrative endpoints and plugin management interfaces using web application firewalls (WAFs) or IP whitelisting to limit exposure. Implementing strict file system permissions to prevent unauthorized plugin installations can also reduce risk. Monitoring WordPress logs for unusual plugin installation activities and scanning for unauthorized addons is recommended. Additionally, disabling or removing the vulnerable plugin temporarily can be considered if the booking functionality is not critical or alternative solutions exist. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Finally, subscribing to vendor and security mailing lists for updates on patches or further advisories is essential.