CVE-2026-5693
Description
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Smart Appointment & Booking plugin for WordPress up to 1.0.8 allows unauthenticated attackers to cancel arbitrary bookings due to improper nonce validation.
The vulnerability exists in the saab_cancel_booking() function of the Smart Appointment & Booking plugin for WordPress versions up to 1.0.8. A missing capability check combined with a nonce validation logic flaw allows unauthorized modification of data. Specifically, the nonce check uses the && operator instead of ||, meaning that providing any value for the security parameter causes the entire check to be skipped [1].
To exploit this, an unauthenticated attacker can send a request to cancel a booking by simply supplying a predictable booking ID. No authentication is required, and the attacker does not need a valid nonce. The predictable booking IDs make it easy to enumerate and cancel multiple bookings.
The impact is that an attacker can cancel arbitrary bookings, disrupting the booking system and potentially causing loss of service for legitimate users. This could lead to reputation damage and financial loss for businesses relying on the plugin.
As of May 6, 2026, the plugin has been closed on the WordPress plugin repository pending a full review. Users are advised to remove or replace the plugin immediately.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.8/inc/front/class.saab.front.action.phpnvd
- plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.phpnvd
- wordpress.org/plugins/smart-appointment-booking/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/afc3531d-6134-4b45-b532-37430d96a8fbnvd
News mentions
0No linked articles in our index yet.