Platform
wordpress
Component
booktics
Fixed in
1.0.17
CVE-2026-1919 describes an unauthorized data access vulnerability discovered in the Booktics WordPress plugin. This flaw allows unauthenticated attackers to retrieve sensitive information through improperly secured REST API endpoints. The vulnerability impacts versions 1.0.0 through 1.0.16 of the plugin, and a fix is available in version 1.0.17.
The primary impact of CVE-2026-1919 is the potential exposure of sensitive data stored within the Booktics plugin. Attackers can leverage the missing capability checks to query these endpoints without authentication, potentially gaining access to appointment details, customer information, or other confidential data. The scope of data exposure depends on the specific data stored and accessible through the plugin's REST API. While the vulnerability is not directly exploitable for remote code execution, the data breach could lead to further attacks, such as identity theft or denial of service.
CVE-2026-1919 was publicly disclosed on 2026-03-10. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but diligent monitoring is recommended.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2026-1919 is to immediately upgrade the Booktics plugin to version 1.0.17 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the plugin's REST API endpoints using a web application firewall (WAF) or proxy server. Configure the WAF to block requests to these endpoints from unauthorized users. Regularly review plugin configurations and ensure that all access controls are properly enforced. After upgrading, confirm the fix by attempting to access the vulnerable REST API endpoints without authentication; access should be denied.
Update to version 1.0.17, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1919 is a MEDIUM severity vulnerability affecting the Booktics WordPress plugin, allowing unauthenticated attackers to query sensitive data via REST API endpoints due to a missing capability check.
You are affected if you are using Booktics WordPress plugin versions 1.0.0 through 1.0.16. Upgrade to version 1.0.17 or later to resolve the issue.
Upgrade the Booktics plugin to version 1.0.17 or later. As a temporary workaround, restrict access to the plugin's REST API endpoints using a WAF or proxy server.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-1919, but diligent monitoring is recommended.
Refer to the Booktics plugin website or WordPress plugin directory for the official advisory and update information regarding CVE-2026-1919.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.