CVE-2026-1980 Overview
The WPBookit plugin for WordPress contains a missing authorization vulnerability that allows unauthorized data disclosure through the get_customer_list route. This security flaw affects all versions of the plugin up to and including version 1.0.8. The vulnerability enables unauthenticated attackers to access sensitive customer information stored in the booking system without any authentication requirements.
Critical Impact
Unauthenticated attackers can retrieve sensitive customer PII including names, email addresses, phone numbers, dates of birth, and gender information through an unprotected API endpoint.
Affected Products
- WPBookit WordPress Plugin version 1.0.8 and earlier
- WordPress sites with WPBookit plugin installed
- Booking systems utilizing WPBookit for customer management
Discovery Timeline
- March 4, 2026 - CVE-2026-1980 published to NVD
- March 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1980
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue resides in the class.wpb-admin-routes.php file, specifically at line 146, where the get_customer_list route is defined without proper authorization checks.
The WPBookit plugin exposes an administrative API route that returns customer data but fails to verify that the requesting user has administrative privileges or is authenticated at all. This broken access control allows any external party to query the endpoint and receive the full customer database response.
The network-accessible nature of this vulnerability means attackers can exploit it remotely without any user interaction. Since no authentication is required, any internet-connected attacker can enumerate and exfiltrate customer records from vulnerable WordPress installations.
Root Cause
The root cause is a missing authorization check in the WPBookit plugin's administrative routes handler. The get_customer_list function processes requests and returns customer data without first validating the user's permission level. WordPress provides capability checking functions like current_user_can() that should be called before returning sensitive data, but these checks are absent from the vulnerable code path.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft HTTP requests directly to the vulnerable endpoint on any WordPress site running the affected plugin versions. The exploitation is straightforward:
- Identify WordPress sites using the WPBookit plugin
- Send a request to the get_customer_list route
- Receive the full customer list response containing PII
- Repeat across multiple target sites for mass data harvesting
The vulnerability is particularly dangerous because booking plugins typically store valuable customer data including contact information and personal details that can be used for identity theft, phishing campaigns, or sold on dark web marketplaces.
Detection Methods for CVE-2026-1980
Indicators of Compromise
- Unusual HTTP requests to WPBookit API routes from external IP addresses
- High volume of requests to /wp-json/ or similar REST endpoints containing wpbookit or get_customer_list
- Access log entries showing successful responses to customer list endpoints from unauthenticated sessions
- Unexpected outbound data transfers following API endpoint access
Detection Strategies
- Monitor web server access logs for requests to WPBookit administrative routes without corresponding authentication events
- Implement Web Application Firewall (WAF) rules to detect and alert on access attempts to the get_customer_list endpoint
- Configure intrusion detection systems to identify patterns consistent with customer data enumeration
- Review WordPress REST API access patterns for anomalous behavior targeting plugin-specific routes
Monitoring Recommendations
- Enable verbose logging for WordPress REST API requests, particularly for WPBookit endpoints
- Set up real-time alerting for any access to sensitive plugin routes from non-authenticated users
- Conduct periodic reviews of API access logs to identify potential exploitation attempts
- Monitor for large response payloads from API endpoints that may indicate bulk data exfiltration
How to Mitigate CVE-2026-1980
Immediate Actions Required
- Update WPBookit plugin to the latest patched version immediately
- Review web server logs for any historical exploitation attempts
- If exploitation is suspected, notify affected customers of potential data exposure
- Temporarily disable the WPBookit plugin if an update is not immediately available
Patch Information
The vulnerability has been addressed by the WPBookit developers. The fix details can be reviewed in the WordPress WPBookit Changeset Details. Site administrators should update to the latest version available through the WordPress plugin repository. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Implement server-level access controls to restrict access to WPBookit API routes to authenticated admin users only
- Deploy a Web Application Firewall rule to block requests to the get_customer_list endpoint from unauthenticated sources
- Temporarily disable the WPBookit plugin until the patch can be applied
- Use .htaccess or nginx configuration to restrict access to the plugin's admin route handlers
# Nginx configuration example to restrict WPBookit admin routes
location ~* /wp-json/wpbookit/.*customer.* {
# Allow only authenticated admin users
auth_basic "Admin Access Required";
auth_basic_user_file /etc/nginx/.htpasswd;
# Or block entirely until patched
# deny all;
# return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
