CVE-2026-32432

Vulnerability

Overview The WP Time Slots Booking Form plugin for WordPress, versions 1.2.42 and earlier, contains a missing authorization vulnerability. This flaw stems from an incorrectly configured access control security level, which means that functions or endpoints intended for higher-privileged users can be accessed without proper permission checks [1]. The issue is classified as a broken access control vulnerability, a common class of flaws where the application fails to enforce authorization for sensitive actions.

Attack

Vector and Prerequisites An attacker can exploit this vulnerability without needing authentication, as the missing authorization does not require a valid user session. The attack surface is the plugin's unauthenticated endpoints that should be restricted to administrators or other privileged roles. No special network position is required; the attack can be performed over the internet at scale. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions normally reserved for higher-privileged users, such as modifying booking settings, accessing sensitive booking data, or altering form configurations. The exact impact depends on which functions are unprotected, but the CVSS v3 base score of 5.3 (Medium) indicates a moderate severity, with a potential for significant disruption to affected sites [1].

Mitigation

The vulnerability is patched in version 1.2.43 of the plugin. Users are strongly advised to update immediately. If updating is not possible, temporary workarounds such as disabling the plugin or applying a web application firewall rule may help. Patchstack users can enable auto-updates for vulnerable plugins to receive the fix automatically [1].