CSRF Vulnerability in Appointment Booking Plugin for WordPress by WPBakery
CVE-2026-11866

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
16 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-11866?

The Appointment Booking Plugin for WordPress, prior to version 5.6.3, is vulnerable to Cross-Site Request Forgery (CSRF) due to inadequate validation of CSRF nonces across several actions managed by its central request dispatcher. This flaw permits attackers to exploit logged-in administrators, enabling them to perform unauthorized actions, such as altering booking-form configurations or severing the connection with payment gateways, thereby compromising the integrity of the booking systems.

Affected Version(s)

Appointment Booking Plugin 0 < 5.6.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Meher Sudhakar Abbireddi
WPScan
.