Home

Description

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.

PUBLISHED Reserved 2026-04-06 | Published 2026-05-12 | Updated 2026-05-12 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-05-11:Disclosed

Credits

Itthidej Aramsri finder

References

www.wordfence.com/...-6134-4b45-b532-37430d96a8fb?source=cve

plugins.trac.wordpress.org/...nt/class.saab.front.action.php

plugins.trac.wordpress.org/...nt/class.saab.front.action.php

wordpress.org/plugins/smart-appointment-booking/

cve.org (CVE-2026-5693)

nvd.nist.gov (CVE-2026-5693)

Download JSON