Medium severity5.3NVD Advisory· Published Mar 10, 2026· Updated Apr 22, 2026

CVE-2026-1919

Description

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.

Affected products

Booktics/Booking Calendar for Appointments and Service Businesses – Bookticsllm-create
Range: <=1.0.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/appointment/controllers/appointment-controller.phpnvd
plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/customer/controllers/customer-controller.phpnvd
plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/order/controllers/order-controller.phpnvd
plugins.trac.wordpress.org/browser/booktics/tags/1.0.15/core/team-member/controllers/team-member-controller.phpnvd
plugins.trac.wordpress.org/changeset/3477898/bookticsnvd
www.wordfence.com/threat-intel/vulnerabilities/id/c88dcf62-4b6c-4ff0-8530-5aefd54bd347nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000