CVE-2026-1920 MEDIUM

CVE-2026-1920: Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation

Vendor Arraytics
Product Booktics – Booking Calendar for Appointments and Service Businesses
Weakness CWE-306 · Missing auth
Published March 10, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.

Explanation of Vulnerability in Simple Terms

02Summary

Booktics versions 1.0.16 and earlier contain a missing authentication vulnerability that allows unauthenticated attackers to modify data over the network. The vulnerability requires no user interaction and affects the integrity of stored information. Site administrators should update to a version newer than 1.0.16 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify booking or appointment data without logging in.

Potential impact on your site

04Site Impact

Attackers can alter bookings, appointments, or service business data without credentials.

Conditions required to exploit

05Prerequisites

Network access to the Booktics installation; no authentication required.

Key dates

06Disclosure timeline

March 10, 2026 CVE published
April 8, 2026 Record updated