CVE-2026-1919 MEDIUM

CVE-2026-1919: Booktics <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints

Vendor Arraytics
Product Booktics – Booking Calendar for Appointments and Service Businesses
Weakness CWE-306 · Missing auth
Published March 10, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.

Explanation of Vulnerability in Simple Terms

02Summary

Booktics versions up to 1.0.16 contain a missing authentication control that allows unauthenticated network access to read sensitive information. An attacker can retrieve data without logging in or user interaction. The vulnerability affects confidentiality but not data integrity or availability. Update to a version newer than 1.0.16 to remediate.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the booking system without authentication.

Potential impact on your site

04Site Impact

Appointment data, customer information, or service details may be exposed to unauthorized parties.

Conditions required to exploit

05Prerequisites

Network access to the Booktics installation; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 10, 2026 CVE published
April 8, 2026 Record updated