{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22341", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:11.736Z", "datePublished": "2026-02-20T15:46:59.242Z", "dateUpdated": "2026-04-28T16:46:46.228Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booked", "product": "Booked", "vendor": "Case-Themes", "versions": [{"lessThanOrEqual": "3.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:30.825Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.<p>This issue affects Booked: from n/a through <= 3.0.0.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.601Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve"}], "title": "WordPress Booked plugin <= 3.0.0 - Account Takeover vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T17:30:33.831559Z", "id": "CVE-2026-22341", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:46:46.228Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22341", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:11.736Z", "datePublished": "2026-02-20T15:46:59.242Z", "dateUpdated": "2026-04-28T16:46:46.228Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booked", "product": "Booked", "vendor": "Case-Themes", "versions": [{"lessThanOrEqual": "3.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:30.825Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.<p>This issue affects Booked: from n/a through <= 3.0.0.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.601Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve"}], "title": "WordPress Booked plugin <= 3.0.0 - Account Takeover vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T17:30:33.831559Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:54:29.272Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n utilizando una ruta o canal alternativo en Case-Themes Booked booked permite el abuso de autenticaci\u00f3n. Este problema afecta a Booked: desde n/a hasta &lt;= 3.0.0."}], "id": "CVE-2026-22341", "lastModified": "2026-04-28T19:36:29.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:32.630", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Booked", "source": "cna", "vendor": "Case-Themes"}, "product": "booked", "vendor": "case-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:37:09.853252+00:00", "value": {"mitigation_remediation": ["Upgrade the Case\u2011Themes Booked plugin to any release newer than 3.0.0 to remove the authentication bypass bug.", "Enforce strong password policies and enable multi\u2011factor authentication for all site users to protect against account compromise even if the flaw is somehow leveraged.", "Disable or restrict direct URL access to administrative or user\u2011editable endpoints that are known to be exposed by the plugin; implement proper access controls so only authorized roles can reach those paths."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress Booked plugin developed by Case\u2011Themes, specifically any installation of the plugin at version 3.0.0 or earlier. All WordPress sites that include this plugin version are subject to the flaw until a newer version is installed. No other products or versions are mentioned in the data.", "description_and_impact": "The vulnerability is an Authentication Bypass Using an Alternate Path or Channel flaw that allows an attacker to abuse authentication and potentially assume legitimate user accounts. The issue is tied to the common weakness category of Authentication and is identified as CWE-288. The effect is that without proper authentication checks, an attacker could potentially take over user accounts and access any functionality available to that role, thereby compromising confidentiality and integrity of the website data. The description explicitly states that the bug enables authentication abuse, and because the flaw remains present until version 3.0.0, any site running an affected build is exposed to this risk.", "risk_and_exploitability": "The CVSS score of 6.7 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low but non\u2011zero probability that the flaw is actively exploited in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no widespread exploitation has been observed. The likely attack vector is an alternate or hidden URL path that bypasses the normal authentication flow, allowing an attacker to assume a user\u2019s identity. Successful exploitation would require only knowledge of a valid user account, so the scope is broadly limited to the site\u2019s user base and the level of privileges granted. The risk is therefore primarily to confidentiality and potential control over the site\u2019s administrative functions."}}}}, "created": "2026-02-23T14:36:46.906202+00:00", "updated": "2026-04-28T17:45:16.126892+00:00", "vendors": ["case-themes", "case-themes$PRODUCT$booked", "wordpress", "wordpress$PRODUCT$wordpress"]}