CVE-2026-39663

CVE-2026-39663 describes a missing authorization vulnerability in the themetechmount TrueBooker plugin for WordPress (truebooker-appointment-booking). The plugin versions up to and all versions through 1.1.5 lack proper access control checks, allowing exploitation of incorrectly configured security levels [1].

The vulnerability stems from a broken access control issue—specifically, the absence of authorization, authentication, or nonce token checks in certain functions. This enables an unprivileged user to execute actions that should require higher privileges. Attackers can exploit this without authentication in some scenarios, making it a candidate for mass-exploit campaigns targeting thousands of sites [1].

The impact of successful exploitation includes unauthorized access to privileged actions, potentially leading to data exposure or manipulation. While the CVSS v3 base score is 5.3 (Medium), the vendor rates it as low severity and notes it is unlikely to be exploited widely [1].

The vulnerability has been addressed in version 1.7 of the TrueBooker plugin. Users are strongly advised to update immediately; those unable to update should seek assistance from their hosting provider or a web developer. Patchstack users can enable auto-updates for vulnerable plugins [1].