Primary

Context

Bookingor WordPress Plugin Missing Authorization Vulnerability Allowing Category Deletion

Vulnerability

A vulnerability exists in the Bookingor WordPress plugin, specifically in versions through 1.0.12. The issue arises because authenticated AJAX actions are exposed without proper capability or nonce checks. This oversight enables low-privileged users to delete categories associated with the Bookingor plugin.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of Bookingor plugin categories by low-privileged users.

Reproduction

To reproduce this vulnerability, first add a category using the Bookingor WordPress plugin. Then, send a request to 'wp-admin/admin-ajax.php' with the 'bp_delete_category' action and the ID of the category to be deleted. Include the 'wordpress_logged_in' cookie to authenticate the request.

Added: Jan 20, 2026, 6:21 AM

Updated: Jan 20, 2026, 6:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bookingor WordPress Plugin Missing Authorization Vulnerability Allowing Category Deletion

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating