CVE-2026-12393 PUBLISHED

WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

Assigner: WPScan
Reserved: 16.06.2026 Published: 17.07.2026 Updated: 17.07.2026

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

Product Status

Vendor Unknown
Product WPS Bookings for WooCommerce
Versions Default: unaffected
  • affected from 0 to 3.11.7 (excl.)

Credits

  • Sanjorn Keeratirungsan finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE