CVE-2026-1932
📋 TL;DR
The Bookr WordPress plugin has an authentication bypass vulnerability in its REST API endpoint that allows unauthenticated attackers to modify appointment statuses. This affects all WordPress sites using Bookr plugin versions 1.0.2 and earlier. Attackers can disrupt business operations by changing appointment confirmations, cancellations, or other statuses.
💻 Affected Systems
- WordPress Appointment Booking Calendar Plugin – Bookr
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically cancel or modify all appointments, causing significant business disruption, financial loss, and reputational damage to organizations relying on appointment bookings.
Likely Case
Attackers modify random appointments to cause confusion, disrupt operations, or test for other vulnerabilities in the system.
If Mitigated
With proper network segmentation and API monitoring, impact is limited to appointment system disruption without lateral movement to other systems.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to the REST API endpoint. Attack tools could easily automate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/bookr/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Appointment Booking Calendar Plugin – Bookr'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin, then install fresh version 1.0.3+ from WordPress repository.
🔧 Temporary Workarounds
Disable Bookr Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate bookr
Block REST API Endpoint
linuxBlock access to the vulnerable REST API endpoint using web server rules
# Apache: RewriteRule ^/wp-json/bookr/v1/update-appointment - [F,L]
# Nginx: location ~* /wp-json/bookr/v1/update-appointment { return 403; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-json/bookr/v1/update-appointment endpoint
- Monitor and alert on unauthorized modifications to appointment data in database logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Bookr version. If version is 1.0.2 or earlier, system is vulnerable.Check Version:
wp plugin list --name=bookr --field=versionVerify Fix Applied:
After update, verify Bookr plugin version is 1.0.3 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-json/bookr/v1/update-appointment from unauthenticated users
- Database modifications to wp_bookr_appointments table without corresponding user authentication
Network Indicators:
- Unusual volume of POST requests to WordPress REST API endpoints
- Traffic to /wp-json/bookr/v1/update-appointment from unexpected IP ranges
SIEM Query:
source="web_server" AND uri_path="/wp-json/bookr/v1/update-appointment" AND http_method="POST" AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/bookr/tags/1.0.2/includes/rest-api/controller/appointment-controller.php#L47
- https://plugins.trac.wordpress.org/browser/bookr/trunk/includes/rest-api/controller/appointment-controller.php#L47
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab4baab-9e91-4ed5-9749-4a14e8180e71?source=cve
