{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1920", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T16:46:32.006Z", "datePublished": "2026-03-10T02:21:49.040Z", "dateUpdated": "2026-04-08T17:14:30.512Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:30.512Z"}, "affected": [{"vendor": "arraytics", "product": "Booktics \u2013 Booking Calendar for Appointments and Service Businesses", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar for Appointments and Service Businesses \u2013 Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins."}], "title": "Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab051f4a-030a-44aa-8cbf-665c6c6d31a7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/extensions/controllers/extension-controller.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset/3477898/booktics/trunk/core/extensions/controllers/extension-controller.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "timeline": [{"time": "2026-03-09T09:46:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-09T13:22:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:58:05.221042Z", "id": "CVE-2026-1920", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:52:24.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:58:05.221042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:58:06.280Z"}}], "cna": {"title": "Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation", "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "arraytics", "product": "Booktics \u2013 Booking Calendar for Appointments and Service Businesses", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-09T09:46:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-09T13:22:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab051f4a-030a-44aa-8cbf-665c6c6d31a7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/extensions/controllers/extension-controller.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset/3477898/booktics/trunk/core/extensions/controllers/extension-controller.php"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar for Appointments and Service Businesses \u2013 Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:30.512Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1920", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:30.512Z", "dateReserved": "2026-02-04T16:46:32.006Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-10T02:21:49.040Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar for Appointments and Service Businesses \u2013 Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins."}, {"lang": "es", "value": "El plugin Booking Calendar para Appointments and Service Businesses \u2013 Booktics para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una verificaci\u00f3n de capacidad en la funci\u00f3n 'Extension_Controller::update_item_permissions_check' en todas las versiones hasta la 1.0.16, inclusive. Esto hace posible que atacantes no autenticados instalen plugins adicionales."}], "id": "CVE-2026-1920", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-10T17:32:46.630", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/extensions/controllers/extension-controller.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3477898/booktics/trunk/core/extensions/controllers/extension-controller.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab051f4a-030a-44aa-8cbf-665c6c6d31a7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Booktics \u2013 Booking Calendar for Appointments and Service Businesses", "source": "cna", "vendor": "arraytics"}, "product": "booktics_\u2013_booking_calendar_for_appointments_and_service_businesses", "vendor": "arraytics"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:44:30.918937+00:00", "value": {"mitigation_remediation": ["Upgrade the Booktics plugin to any version newer than 1.0.16 where the capability check has been added.", "If an upgrade cannot be made immediately, configure the web server or firewall to prevent unauthenticated requests to the 'extension-controller.php' endpoint, ensuring that only authenticated administrators can trigger addon installations.", "Continuously monitor WordPress logs for entries showing addon installation activity and audit plugin directories for unauthorized files."], "summary": {"action": "Update Plugin", "impact": "Unauthorized addon installation"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the Booktics plugin version 1.0.16 or earlier, as distributed by Arraytics. WordPress sites using these plugin versions are vulnerable regardless of their site configuration, hosting environment, or active management plugins.", "description_and_impact": "The Booktics plugin for WordPress fails to perform a capability check in the Extension_Controller::update_item_permissions_check function. This oversight allows any user that can reach the plugin's update endpoint to install addon plugins without authentication. Directing the endpoint to malicious addons could compromise the integrity of the WordPress site, leading to unauthorized data modifications or plugin execution.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate risk. The EPSS score is below 1%, implying a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can communicate with the plugin\u2019s update endpoint, which is generally available via the REST API or admin interface. Attackers do not need prior privileges, so once the endpoint is reachable, the flaw can be abused without further compromise."}}}}, "created": "2026-03-10T14:06:05.687551+00:00", "updated": "2026-04-15T17:45:10.771501+00:00", "vendors": ["arraytics", "arraytics$PRODUCT$booktics_\u2013_booking_calendar_for_appointments_and_service_businesses", "wordpress", "wordpress$PRODUCT$wordpress"]}