CVE-2026-2230: WordPress Booking Calendar Auth Bypass Flaw

CVE-2026-2230 Overview

The Booking Calendar plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 10.14.14. The vulnerability exists in the handle_ajax_save function due to missing validation on a user-controlled key. This flaw enables authenticated attackers with Subscriber-level access and above, who have been granted booking permissions by an Administrator, to modify other users' plugin settings, such as booking calendar display options, potentially disrupting booking calendar functionality for targeted users.

Critical Impact

Authenticated attackers with minimal privileges can exploit missing authorization checks to manipulate other users' booking calendar configurations, leading to disruption of business operations and unauthorized modification of user settings.

Affected Products

• Booking Calendar WordPress Plugin versions up to and including 10.14.14

Discovery Timeline

• 2026-02-18 - CVE CVE-2026-2230 published to NVD
• 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-2230

Vulnerability Analysis

This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, a common weakness in web applications where authorization decisions are based on user-supplied input without proper validation. The vulnerable function handle_ajax_save in the save-user-meta.php file fails to verify that the authenticated user has permission to modify the settings belonging to the target user ID specified in the request.

The attack requires the attacker to have at least Subscriber-level access to WordPress and must have been granted booking permissions by an Administrator. While this limits the attack surface, organizations with public registration enabled or those that grant booking permissions broadly are at elevated risk. The vulnerability allows horizontal privilege escalation, enabling users to modify settings of other users at the same or similar privilege level.

Root Cause

The root cause of this vulnerability lies in the handle_ajax_save function located in save-user-meta.php at line 90. The function accepts a user-controlled key parameter but does not validate whether the current authenticated user has authorization to modify the settings associated with that key. This missing access control check allows any authenticated user with booking permissions to reference and modify another user's plugin configuration by simply changing the user ID parameter in their request.

Attack Vector

The attack is conducted over the network through an authenticated session. An attacker with Subscriber-level WordPress access and booking permissions can craft malicious AJAX requests to the handle_ajax_save endpoint, specifying a target user ID different from their own. By manipulating the user-controlled key parameter, the attacker can modify booking calendar display options and other plugin settings for the targeted user.

The vulnerability is exploited by sending a crafted POST request to the WordPress AJAX handler with the action parameter set to trigger the vulnerable function. The attacker includes the victim's user ID in the request parameters, along with the desired malicious configuration changes. Because the function lacks proper authorization checks, it processes the request and saves the attacker-specified settings to the victim's user meta.

Detection Methods for CVE-2026-2230

Indicators of Compromise

• Unusual AJAX requests to handle_ajax_save endpoint with user IDs that differ from the authenticated session
• Multiple rapid configuration changes to booking calendar settings across different user accounts
• Log entries showing user meta updates for users who did not initiate the changes
• Anomalous activity from Subscriber-level accounts targeting the Booking Calendar plugin

Detection Strategies

• Monitor WordPress AJAX request logs for suspicious handle_ajax_save calls with mismatched user identifiers
• Implement Web Application Firewall (WAF) rules to detect parameter tampering attempts on user ID fields
• Enable detailed audit logging for the Booking Calendar plugin configuration changes
• Review access logs for patterns indicating systematic enumeration of user IDs

Monitoring Recommendations

• Configure SentinelOne Singularity to monitor for suspicious POST requests to WordPress AJAX handlers
• Set up alerts for unexpected modifications to user meta data in the WordPress database
• Implement file integrity monitoring on the Booking Calendar plugin directory
• Enable WordPress activity logging with focus on plugin-related user meta changes

How to Mitigate CVE-2026-2230

Immediate Actions Required

• Update the Booking Calendar plugin to version 10.14.15 or later immediately
• Review booking permission grants and restrict to only necessary users
• Audit recent plugin configuration changes for signs of exploitation
• Consider temporarily disabling the Booking Calendar plugin until patched

Patch Information

The vulnerability has been addressed in a patch released by the plugin maintainers. The fix is documented in WordPress Changeset 3456856, which implements proper authorization validation in the handle_ajax_save function. Additional technical details about the vulnerability can be found in the Wordfence Vulnerability Report.

Workarounds

• Revoke booking permissions from all Subscriber-level users until the plugin is updated
• Restrict WordPress registration to prevent creation of new Subscriber accounts
• Implement additional WAF rules to block requests containing suspicious user ID manipulation attempts
• Consider using a WordPress security plugin to add additional access control layers

Organizations using the Booking Calendar plugin should prioritize updating to the patched version. The vulnerable code can be reviewed at the WordPress Plugin Code Reference for security teams conducting internal assessments.