CVE-2026-12393

CVE-2026-12393: WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

Vendor Unknown
Product WPS Bookings for WooCommerce
Published July 17, 2026
Last update July 17, 2026

CVSS base score

What the vulnerability does

01Description

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

Key dates

02Disclosure timeline

July 17, 2026 CVE published
July 17, 2026 Record updated