{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1932", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:01:43.286Z", "datePublished": "2026-02-14T05:54:12.182Z", "dateUpdated": "2026-04-08T16:43:32.838Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:32.838Z"}, "affected": [{"vendor": "bssoftware", "product": "Appointment Booking Calendar Plugin \u2013 Bookr", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar Plugin \u2013 Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment."}], "title": "Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab4baab-9e91-4ed5-9749-4a14e8180e71?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bookr/trunk/includes/rest-api/controller/appointment-controller.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/bookr/tags/1.0.2/includes/rest-api/controller/appointment-controller.php#L47"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "timeline": [{"time": "2026-02-13T17:29:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T18:45:05.863407Z", "id": "CVE-2026-1932", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T18:45:21.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T18:45:05.863407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T18:45:11.087Z"}}], "cna": {"title": "Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "MD. TAREQ AHAMED JONY"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "bssoftware", "product": "Appointment Booking Calendar Plugin \u2013 Bookr", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T17:29:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab4baab-9e91-4ed5-9749-4a14e8180e71?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bookr/trunk/includes/rest-api/controller/appointment-controller.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/bookr/tags/1.0.2/includes/rest-api/controller/appointment-controller.php#L47"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar Plugin \u2013 Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:32.838Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1932", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:32.838Z", "dateReserved": "2026-02-04T21:01:43.286Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T05:54:12.182Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar Plugin \u2013 Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment."}, {"lang": "es", "value": "El plugin Appointment Booking Calendar \u2013 plugin Bookr para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en el endpoint de la API REST update-appointment en todas las versiones hasta la 1.0.2, e incluy\u00e9ndola. Esto hace posible que atacantes no autenticados modifiquen el estado de cualquier cita."}], "id": "CVE-2026-1932", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T06:16:06.007", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bookr/tags/1.0.2/includes/rest-api/controller/appointment-controller.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bookr/trunk/includes/rest-api/controller/appointment-controller.php#L47"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab4baab-9e91-4ed5-9749-4a14e8180e71?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.2]"}}], "product": "appointment_booking_calendar_plugin_\u2013_bookr", "vendor": "bssoftware"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:47:48.189697+00:00", "value": {"mitigation_remediation": ["Upgrade the Bookr plugin to the latest version that implements a proper capability check on the update\u2011appointment endpoint.", "If an immediate upgrade is not feasible, add a filter or a rule that forces authentication for the Bookr REST API, restricting the update\u2011appointment action to administrators or users with a specific capability, using a security plugin or custom code.", "If upgrade or code changes are not an option, configure a firewall or .htaccess rule to block unauthenticated POST requests to the /wp-json/bookr/v1/update-appointment endpoint."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated modification of appointment status"}, "threat_synthesis": {"affected_systems": "All WordPress installations running Bookr version 1.0.2 or earlier are affected. The plugin provides the REST endpoint through WordPress\u2019s API and is typically installed on websites that use the plugin to manage client appointments.", "description_and_impact": "The Bookr Appointment Booking Calendar Plugin for WordPress contains a missing capability check on the update-appointment REST API endpoint, allowing any unauthenticated user to modify the status of any appointment. This flaw compromises the integrity of appointment data, enabling attackers to arbitrarily confirm, cancel, or otherwise change appointments without authorization. The vulnerability is formally categorized as CWE\u2011862.", "risk_and_exploitability": "The CVSS v3 score is 5.3, indicating moderate severity. EPSS is listed as less than 1\u202f%, reflecting a low current exploitation probability, and the vulnerability is not yet included in CISA\u2019s KEV catalog. Nevertheless, the flaw is exploitable over an application\u2011level REST API, requiring only a crafted HTTP request to the /wp-json/bookr/v1/update-appointment endpoint. Because no authentication is performed, any internet\u2011reachable WordPress site with the vulnerable plugin could be targeted directly, making the risk significant for exposed or poorly monitored services."}}}}, "created": "2026-02-16T12:03:13.369820+00:00", "updated": "2026-04-16T01:00:19.948433+00:00", "vendors": ["bssoftware", "bssoftware$PRODUCT$appointment_booking_calendar_plugin_\u2013_bookr", "wordpress", "wordpress$PRODUCT$wordpress"]}