CVE-2026-2230 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Booking Calendar plugin for WordPress, developed by wpdevelop. The flaw exists in the handle_ajax_save function, where the plugin fails to properly validate a key parameter controlled by the user. This lack of validation allows authenticated attackers with at least Subscriber-level access and granted booking permissions to manipulate other users' plugin settings. Specifically, attackers can alter booking calendar display options, which can disrupt the normal functioning of the booking calendar for the targeted user. The vulnerability affects all versions up to and including 10.14.14. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, privileges at the level of a logged-in user, no user interaction, and impacts integrity but not confidentiality or availability. No patches or known exploits are currently reported, but the vulnerability's presence in a widely used WordPress plugin poses a risk to organizations relying on this plugin for booking management. The flaw does not allow data disclosure or system compromise but can cause operational disruption by altering user-specific settings, potentially leading to confusion or denial of service at the application level.

For European organizations, the primary impact is operational disruption of booking services managed via the Booking Calendar plugin. This can affect customer experience, appointment scheduling, and internal resource management, particularly in sectors like hospitality, healthcare, and professional services that rely heavily on booking systems. Since the vulnerability allows modification of plugin settings by unauthorized users with limited privileges, it can lead to inconsistent or incorrect calendar displays, potentially causing scheduling conflicts or loss of trust in the service. Although the vulnerability does not compromise sensitive data or system availability, the integrity of booking configurations is at risk. Organizations with multiple users having booking permissions are more vulnerable to insider threats or compromised accounts exploiting this flaw. The medium severity rating indicates a moderate risk, but the ease of exploitation by authenticated users makes it a concern for environments with many users or delegated permissions.

To mitigate CVE-2026-2230, organizations should first audit and restrict booking permissions to the minimum necessary users, avoiding granting booking permissions broadly, especially to Subscriber-level users. Implement strict role-based access controls within WordPress to limit who can modify booking settings. Monitor user activity logs for unusual changes to booking calendar configurations. Since no patch is currently available, consider temporarily disabling the Booking Calendar plugin or replacing it with alternative booking solutions if feasible. Keep the plugin updated and apply any future patches promptly once released by wpdevelop. Additionally, implement multi-factor authentication (MFA) for all WordPress accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. Regularly review plugin permissions and user roles to ensure compliance with the principle of least privilege.