{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39663", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.670Z", "datePublished": "2026-04-08T08:30:37.575Z", "dateUpdated": "2026-04-08T08:30:37.575Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "truebooker-appointment-booking", "product": "TrueBooker", "vendor": "themetechmount", "versions": [{"lessThanOrEqual": "1.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:41.664Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects TrueBooker: from n/a through <= 1.1.5.</p>"}], "value": "Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:37.575Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress TrueBooker plugin <= 1.1.5 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5."}], "id": "CVE-2026-39663", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:37.490", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "TrueBooker", "source": "cna", "vendor": "themetechmount"}, "product": "truebooker", "vendor": "themetechmount"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:02:47.912028+00:00", "value": {"mitigation_remediation": ["Update the TrueBooker plugin to the latest available version that resolves the broken access control flaw.", "If an update is not possible, temporarily deactivate the plugin or remove it from the site until a fix can be applied.", "Audit user role permissions to ensure no excessive privileges exist for booking\u2011related functions.", "Apply any applicable WordPress core security hardening measures such as security plugins and regular patch management."], "summary": {"action": "Patch Now", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the TrueBooker plugin from the vendor themetechmount. All releases up to and including version\u202f1.1.5 are affected, while any version newer than 1.1.5 is assumed to contain the fix. Site owners must verify the plugin version and ensure they are not running an affected release.", "description_and_impact": "This vulnerability arises from a missing authorization check in the WordPress TrueBooker appointment\u2011booking plugin. The flaw allows an attacker to execute privileged operations or access data that should be restricted, potentially manipulating bookings, retrieving personal information, or otherwise altering the state of the system. The weakness is classified as CWE\u2011862, indicating that authorization is improperly enforced, leading to unauthorized privilege escalation or leakage of confidential data.", "risk_and_exploitability": "Because the flaw permits actions without proper authentication, an attacker can exploit the web interface of the plugin, typically via HTTP requests to endpoints that assume a valid user session. No public exploit is documented and the EPSS score is currently unavailable, but the absence of a restriction makes the vulnerability potentially high impact. The vendor has not listed this issue in the CISA KEV catalog, indicating that it is not currently known to be exploited in the wild. Nonetheless, the lack of authorization results in a serious security risk for any site lacking additional controls."}}}}, "created": "2026-04-08T19:28:10.814842+00:00", "updated": "2026-04-08T19:41:13.641640+00:00", "vendors": ["themetechmount", "themetechmount$PRODUCT$truebooker", "wordpress", "wordpress$PRODUCT$wordpress"]}