Booked – Appointment Booking for WordPress Vulnerability (Medium) -…

Booked – Appointment Booking for WordPress Vulnerability (Medium) -…

by | Mar 18, 2026 | Plugins

Attack Vectors

This Medium-severity vulnerability (CVSS 6.5) affects the Booked – Appointment Booking for WordPress plugin (slug: booked) in versions prior to 2.4.4. It can be exploited over the network by an unauthenticated attacker, meaning they do not need a user account or staff access to attempt to pull data.

In practical terms, the risk is highest for organizations that use Booked to manage customer appointments and store identifying details, notes, or other appointment-related information in WordPress. Official tracking: CVE-2022-36399.

Security Weakness

The issue is categorized as Sensitive Information Exposure in Booked versions up to (but not including) 2.4.4. According to the published advisory, the weakness can allow attackers to extract sensitive appointment-related data from the database without authentication.

This is not described as a website “takeover” issue, but it is a data confidentiality problem that can still create significant compliance and brand risk—especially when appointment records contain personal or business-sensitive details. Source: Wordfence vulnerability entry.

Remediation: Update Booked to version 2.4.4 or a newer patched version.

Technical or Business Impacts

Data exposure risk: Appointment data may include customer names, contact details, scheduling patterns, internal notes, or other context that becomes sensitive depending on your business (health, legal, consulting, financial services, etc.). Even limited exposure can be damaging if it reveals who your customers are and when they meet with you.

Compliance and legal risk: If exposed records include personal data, the organization may face notification obligations and regulatory scrutiny depending on jurisdiction and industry requirements.

Brand and revenue impact: Customer trust is often closely tied to how well appointment and contact details are protected. A publicized exposure can increase churn, reduce lead conversion rates, and create additional costs in PR, legal review, and incident response.

Similar Attacks

While the underlying causes can differ, unauthenticated or publicly accessible data exposures are a common driver of reputational and compliance fallout. Examples include:

Verizon customer data exposure (UpGuard report)

Microsoft Power Apps data exposure (UpGuard report)

Facebook data leak affecting hundreds of millions of users (BBC)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers