CVE-2026-22341

An authentication bypass vulnerability exists in the Case-Themes Booked WordPress plugin, affecting all versions up to and including 3.0.0. The issue stems from a missing or insufficient authorization check in an alternate path or channel, allowing an attacker to bypass normal authentication procedures. This is classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288). [1]

Exploitation does not require administrative privileges; any authenticated user (or potentially unauthenticated, depending on the attack vector) can leverage this flaw to invoke functions normally reserved for higher-privileged roles. The vulnerability is expected to be actively exploited in mass campaigns, targeting thousands of websites irrespective of their size or popularity. The official disclosure notes that attackers can abuse this to perform actions that should only be executable by higher privileged users. [1]

The primary impact is privilege escalation: a malicious actor can gain unauthorized administrative access to the WordPress site. This could lead to complete site compromise, including data theft, defacement, or injection of malicious content. The CVSS v3 score is 6.7 (Medium), but the threat is amplified by the likelihood of automated exploitation. [1]

As an immediate mitigation, users must update the Booked plugin to version 3.0.1 or later, which contains a patch for this vulnerability. For those unable to update immediately, it is recommended to contact the hosting provider or a web developer for assistance. The vulnerability is listed as likely to be targeted by exploit campaigns, underscoring the urgency of remediation. [1]