CVE-2026-48881

Vulnerability

A broken access control vulnerability exists in the TrueBooker plugin for WordPress versions 1.1.9 and earlier, as disclosed in Patchstack advisory [1]. The flaw allows unauthenticated users to access functions that should require proper authorization or nonce checks, enabling unauthorized privileged actions. All installations running version 1.1.9 or below are affected.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoints without needing any prior access, user interaction, or special network position. The lack of authentication or nonce validation means the attack can be performed remotely and automatically, making it suitable for mass-exploit campaigns [1].

Impact

Successful exploitation grants the attacker the ability to execute higher-privileged actions, such as modifying or deleting data, bypassing restrictions, or performing unauthorized operations within the WordPress installation. Given the unauthenticated nature and critical severity (CVSS 9.1), the impact can lead to full site compromise [1].

Mitigation

Immediately update to version 1.2.0 or later, which contains the fix. Patchstack also provides a mitigation rule to block attacks until the update is applied. No other workarounds have been disclosed [1].