๐Ÿ” CVE Alert

CVE-2026-9180

MEDIUM 5.3

MotoPress Appointment Booking <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `'permission_callback' => '__return_true'`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.

CWE CWE-639
Vendor jetmonsters
Product motopress appointment booking
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for jetmonsters motopress appointment booking

Be the first to know when new medium vulnerabilities affecting jetmonsters motopress appointment booking are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

jetmonsters / MotoPress Appointment Booking
0 โ‰ค 2.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a6521d-39b2-48f4-834b-888047619df5?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L98 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L308 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php#L30 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/services/BookingService.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3583168/motopress-appointment-lite/trunk/includes/rest/controllers/motopress/appointment/v1/BookingsRestController.php

Credits

g0wthr