How is CVE-2026-48881 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; no physical or local access is needed. Authentication (not-required): No account or session token of any kind is required; the broken access control flaw is reachable by a completely anonymous request. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit is entirely server-side. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-48881?

An attacker reads protected booking records, customer personal information, and any other data the plugin stores or exposes through its access-controlled endpoints. An attacker writes to or modifies booking data, potentially creating, altering, or deleting reservations and associated records without authorization. Service availability is not directly impacted according to the CVSS availability token, but data integrity loss from unauthorized writes can cause functional disruption for site operators and end users.

Back to search

CRITICALCVE-2026-48881Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48881: WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability

Q: What is CVE-2026-48881?

Broken access control in the WordPress TrueBooker plugin (versions 1.1.9 and earlier) allows an unauthenticated remote attacker to reach protected functionality without logging in. The vulnerability is exploitable over the network with no credentials and no victim interaction required, as reflected in the CVSS 9.1 critical score. Successful exploitation gives an attacker full read and write access to sensitive data managed by the plugin, including booking records and associated user information. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix version is released.

Q: Is CVE-2026-48881 patched?

Because no fix version has been published for CVE-2026-48881, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Broken access control in the WordPress TrueBooker plugin (versions 1.1.9 and earlier) allows an unauthenticated remote attacker to reach protected functionality without logging in. The vulnerability is exploitable over the network with no credentials and no victim interaction required, as reflected in the CVSS 9.1 critical score. Successful exploitation gives an attacker full read and write access to sensitive data managed by the plugin, including booking records and associated user information. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48881 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. This coverage extends to custom-built images that bundle the TrueBooker plugin, not just official distribution images.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.1 (Critical), weighted against each customer organization's compliance policy to reflect their specific risk tolerance and regulatory context. Findings are routable to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-48881, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; no physical or local access is needed.
AuthenticationNot required
No account or session token of any kind is required; the broken access control flaw is reachable by a completely anonymous request.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is entirely server-side.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

Blast Radius

An attacker reads protected booking records, customer personal information, and any other data the plugin stores or exposes through its access-controlled endpoints.
An attacker writes to or modifies booking data, potentially creating, altering, or deleting reservations and associated records without authorization.
Service availability is not directly impacted according to the CVSS availability token, but data integrity loss from unauthorized writes can cause functional disruption for site operators and end users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-48881, HarborGuard monitors the Patchstack advisory and all relevant upstream feeds on every ingest cycle, ready to surface a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and open a PR against affected workloads. In the meantime, compensating controls are worth applying: network-policy rules that restrict unauthenticated external access to WordPress admin and plugin endpoints, WAF rules targeting the specific routes exposed by TrueBooker, and feature-flag or plugin-deactivation options within WordPress if booking functionality is non-critical. HarborGuard will update the advisory status and unblock the auto-remediation flow without requiring manual intervention once the vendor ships a patch.

See how HarborGuard automates this

Affected packages

themetechmount / TrueBooker
≤ 1.1.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

patchstack.com

Metrics

Get notified