CVE-2026-1920 Overview
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress contains a missing authorization vulnerability in all versions up to and including 1.0.16. The vulnerability exists due to a missing capability check on the Extension_Controller::update_item_permissions_check function, which allows unauthenticated attackers to install addon plugins without proper authorization.
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating that the affected function fails to verify that the requesting user has the necessary permissions before allowing plugin installation operations.
Critical Impact
Unauthenticated attackers can install arbitrary addon plugins on vulnerable WordPress sites, potentially leading to site compromise, data theft, or further exploitation through malicious plugin payloads.
Affected Products
- Booktics – Booking Calendar for Appointments and Service Businesses plugin versions ≤ 1.0.16
- WordPress sites running vulnerable Booktics plugin versions
- WordPress multisite installations with Booktics enabled
Discovery Timeline
- 2026-03-10 - CVE-2026-1920 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-1920
Vulnerability Analysis
The vulnerability resides in the Extension_Controller::update_item_permissions_check function within the Booktics WordPress plugin. This function is responsible for validating whether a user has the appropriate permissions to perform extension update operations, including the installation of addon plugins. However, the implementation fails to properly check user capabilities before allowing the operation to proceed.
In WordPress plugin architecture, permission checks are critical security controls that ensure only authorized users (typically administrators) can perform sensitive operations like installing or modifying plugins. When these checks are missing or improperly implemented, the REST API endpoints become accessible to unauthenticated users.
The impact of this vulnerability allows attackers to bypass the WordPress authorization model entirely. By exploiting this flaw, an unauthenticated attacker can remotely install addon plugins without any valid credentials. This could be leveraged to deploy malicious plugins that execute arbitrary code, establish backdoors, or exfiltrate sensitive data from the WordPress database.
Root Cause
The root cause of this vulnerability is a missing capability check in the update_item_permissions_check method within extension-controller.php. WordPress provides the current_user_can() function to verify user capabilities before performing privileged operations. The vulnerable code path fails to call this function or similar authorization checks, allowing the REST API endpoint to process requests from unauthenticated users.
The vulnerable code is located at line 110 in core/extensions/controllers/extension-controller.php as referenced in the WordPress Plugin Code Reference.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can send crafted HTTP requests to the WordPress REST API endpoint associated with the Booktics extension controller. Since the permission check function returns true regardless of the user's authentication state, the server processes the addon installation request.
The attack flow typically involves:
- Identifying a WordPress site running a vulnerable Booktics version
- Crafting a REST API request to the extension update endpoint
- Specifying a malicious or attacker-controlled addon plugin for installation
- The plugin installs without authorization checks, granting the attacker potential code execution capabilities
The fix implemented in the WordPress Plugin Changeset adds proper capability verification using WordPress's built-in authorization functions.
Detection Methods for CVE-2026-1920
Indicators of Compromise
- Unexpected addon plugins appearing in the Booktics extensions directory
- WordPress REST API access logs showing unauthenticated requests to /wp-json/booktics/v1/extensions endpoints
- Newly installed plugins that were not authorized by site administrators
- Unusual file modifications in wp-content/plugins/booktics/ directory
Detection Strategies
- Monitor WordPress REST API logs for unauthenticated POST requests to Booktics extension endpoints
- Implement file integrity monitoring on the Booktics plugin directory to detect unauthorized changes
- Review WordPress plugin installation logs for unexpected addon installations
- Use WordPress security plugins that detect capability bypass attempts
Monitoring Recommendations
- Enable verbose logging for WordPress REST API requests and filter for Booktics-related endpoints
- Configure alerts for any plugin installation events that occur outside of administrative sessions
- Implement real-time file system monitoring on WordPress plugin directories
- Regularly audit installed plugins against an approved whitelist
How to Mitigate CVE-2026-1920
Immediate Actions Required
- Update the Booktics plugin to the latest patched version immediately
- Audit WordPress sites for any unauthorized addon plugins that may have been installed
- Review server access logs for evidence of exploitation attempts against the vulnerable endpoint
- Consider temporarily disabling the Booktics plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in versions after 1.0.16. Site administrators should update to the latest available version of the Booktics plugin through the WordPress plugin repository. The specific code fix can be reviewed in the WordPress Plugin Changeset.
For additional technical analysis and verification, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Restrict access to WordPress REST API endpoints using web server configuration (e.g., .htaccess rules or nginx location blocks)
- Implement a Web Application Firewall (WAF) rule to block unauthenticated requests to Booktics extension endpoints
- Disable the Booktics plugin entirely until a patch can be applied
- Use WordPress security plugins to enforce capability checks on REST API endpoints
# Apache .htaccess workaround to block unauthenticated REST API access to Booktics endpoints
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/booktics/v1/extensions [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
