CSRF Vulnerability in Appointment Booking Plugin for WordPress by WPBakery
CVE-2026-11866
Currently unrated
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-11866?
The Appointment Booking Plugin for WordPress, prior to version 5.6.3, is vulnerable to Cross-Site Request Forgery (CSRF) due to inadequate validation of CSRF nonces across several actions managed by its central request dispatcher. This flaw permits attackers to exploit logged-in administrators, enabling them to perform unauthorized actions, such as altering booking-form configurations or severing the connection with payment gateways, thereby compromising the integrity of the booking systems.
Affected Version(s)
Appointment Booking Plugin 0 < 5.6.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.