CVE Catalog

CVE-2026-9180

MediumCVSS 5.3
Published: Translated: NVD NIST

Summary

The MotoPress Appointment Booking plugin for WordPress up to version 2.4.4 contains an authorization bypass vulnerability via a user-controlled key. Unauthenticated attackers can overwrite customer data (name, email, phone number) in non-confirmed bookings by exploiting a publicly accessible REST endpoint.

Risk Assessment

An attacker can manipulate personal data of customers in pending bookings, leading to data integrity and confidentiality breaches, and potentially enabling further social engineering or identity theft attacks.

Recommendation

Immediately update the MotoPress Appointment Booking plugin to the latest available version that fixes this vulnerability. As a temporary workaround, disable the plugin or restrict access to the REST endpoints for unauthenticated users.

Original NVD description (English source)

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `'permission_callback' => '__return_true'`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS