Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WordPress Bookr Plugin Allows Hackers to Change Appointment Status
CVE-2026-1932
Summary
A security issue in the Bookr plugin for WordPress allows unauthorized users to change the status of appointments. This means that anyone can modify the status of any appointment, which could lead to incorrect scheduling or other issues. To fix this, update the Bookr plugin to version 1.0.3 or later.
Original title
The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint...
Original description
The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026