ByteOS Network

CVE Vulnerability Details :

CVE-2026-5693

PUBLISHED

More Info Official Page

Assigner-Wordfence

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-12 May, 2026 | 07:48

Updated At-12 May, 2026 | 07:48

▼CVE Numbering Authority (CNA)

Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.

Affected Products

Vendor

zealopensource

Product

Smart Appointment & Booking

Default Status

unaffected

Versions

Affected

From 0 through 1.0.8 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-862	CWE-862 Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: CWE-862 Missing Authorization

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Credits

finder

Itthidej Aramsri

Timeline

Event	Date
Disclosed	2026-05-11 19:03:39

Event: Disclosed

Date: 2026-05-11 19:03:39

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/afc3531d-6134-4b45-b532-37430d96a8fb?source=cve	N/A
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2558	N/A
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.8/inc/front/class.saab.front.action.php#L2558	N/A
https://wordpress.org/plugins/smart-appointment-booking/	N/A