What the vulnerability does
01Description
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
Explanation of Vulnerability in Simple Terms
02Summary
TrueBooker versions 1.1.4 and earlier lack proper authorization checks, allowing unauthenticated attackers to read sensitive information. The vulnerability requires only network access and no user interaction. An attacker can access data they should not be able to view without authentication or special privileges.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the booking system without logging in.
Potential impact on your site
04Site Impact
Appointment data, user details, or other sensitive booking information may be exposed to unauthorized visitors.
Conditions required to exploit
05Prerequisites
Network access to the TrueBooker installation; no authentication required.
Key dates
06Disclosure timeline
March 31, 2026
CVE published
April 8, 2026
Record updated