CVE-2026-1932 identifies a missing authorization vulnerability (CWE-862) in the Appointment Booking Calendar Plugin – Bookr for WordPress, specifically in the update-appointment REST API endpoint. The flaw exists because the plugin fails to perform a capability check to verify whether the requester is authorized to modify appointment data. This omission allows unauthenticated attackers to send crafted requests to the API endpoint and change the status of any appointment, such as confirming, canceling, or rescheduling appointments without permission. The vulnerability affects all versions up to and including 1.0.2. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity only (I:L) without affecting confidentiality or availability. There are no known exploits in the wild yet, and no official patches have been released at the time of this report. The vulnerability could be leveraged to disrupt business workflows, cause confusion among clients, or be used as part of a larger attack chain targeting organizations relying on this plugin for appointment management.

The primary impact of this vulnerability is unauthorized modification of appointment data, which compromises data integrity. Organizations relying on the Bookr plugin for scheduling could face operational disruptions, loss of customer trust, and potential financial losses due to manipulated appointments. Attackers could cancel or alter appointments, leading to missed meetings, double bookings, or fraudulent rescheduling. While confidentiality and availability are not directly affected, the integrity breach can indirectly cause service degradation and reputational harm. Since the exploit requires no authentication or user interaction, the attack surface is broad, increasing risk for any organization using the affected plugin. This could be particularly damaging for businesses in healthcare, legal, or consulting sectors where appointment accuracy is critical.

Until an official patch is released, organizations should implement compensating controls such as restricting access to the REST API endpoints via web application firewalls (WAFs) or IP whitelisting to trusted sources only. Monitoring and logging API requests for unusual activity can help detect exploitation attempts. Disabling or uninstalling the Bookr plugin temporarily can eliminate exposure if feasible. Administrators should also review user permissions and ensure that only authorized personnel can manage appointments. Once a patch is available, immediate application is critical. Additionally, organizations should consider implementing multi-factor authentication and rate limiting on API endpoints to reduce the risk of automated attacks. Regular security audits of WordPress plugins and timely updates are essential to prevent similar vulnerabilities.