CVE-2026-1980 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the WPBookit plugin for WordPress, developed by iqonicdesign. The flaw exists in all versions up to and including 1.0.8 due to the absence of an authorization check on the 'get_customer_list' route. This API endpoint is intended to provide customer data but fails to verify whether the requester is authenticated or authorized to access this information. Consequently, an unauthenticated attacker can remotely invoke this endpoint and retrieve sensitive customer details such as names, email addresses, phone numbers, dates of birth, and gender. The vulnerability is remotely exploitable over the network without requiring any user interaction or privileges, making it relatively easy to exploit. The exposure of personally identifiable information (PII) can lead to privacy violations, identity theft, phishing attacks, and regulatory non-compliance, especially under data protection laws like GDPR or CCPA. No patches or fixes are currently published, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, indicating a medium severity primarily due to the confidentiality impact. The vulnerability does not affect data integrity or availability. The lack of authentication and authorization checks represents a critical design oversight in the plugin's API security model.

The primary impact of CVE-2026-1980 is the unauthorized disclosure of sensitive customer information, which can have several consequences for affected organizations. Exposure of PII such as names, emails, phone numbers, dates of birth, and gender can facilitate identity theft, targeted phishing campaigns, social engineering attacks, and reputational damage. Organizations may face legal and regulatory repercussions if they fail to protect customer data in accordance with privacy laws like GDPR, HIPAA, or CCPA. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can erode customer trust and result in financial penalties. Additionally, attackers could use the harvested data as a foothold for further attacks against the organization or its customers. Since WPBookit is a WordPress plugin commonly used for booking and appointment management, businesses in sectors such as hospitality, healthcare, and professional services are particularly vulnerable. The ease of exploitation without authentication increases the risk of automated scanning and mass data harvesting by malicious actors worldwide.

To mitigate CVE-2026-1980, organizations should immediately implement the following measures: 1) Restrict access to the 'get_customer_list' API endpoint by enforcing strict authentication and authorization checks at the web server or application firewall level if a plugin update is not yet available. 2) Disable or remove the vulnerable API route temporarily to prevent unauthorized data access. 3) Monitor web server logs for unusual or repeated access attempts to the 'get_customer_list' endpoint to detect potential exploitation attempts. 4) Inform customers about the potential data exposure and advise them on precautions against phishing or identity theft. 5) Regularly check for updates from iqonicdesign and apply patches promptly once released. 6) Conduct a thorough audit of all WordPress plugins to ensure they follow secure coding practices, especially regarding access control. 7) Employ web application firewalls (WAFs) with custom rules to block unauthenticated requests targeting sensitive API routes. 8) Review and enhance overall WordPress site security, including limiting plugin usage to trusted sources and minimizing unnecessary API exposure. These steps go beyond generic advice by focusing on immediate containment and proactive monitoring until an official patch is available.