📄 Description (English)
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
🤖 AI Executive Summary
The Truebooker WordPress plugin (versions ≤1.1.4) exposes sensitive information through directly accessible PHP view files, allowing unauthenticated attackers to retrieve potentially confidential data without authentication. With a CVSS score of 5.3 and no available patch, this vulnerability poses a moderate risk to WordPress-based appointment and scheduling systems. Organizations using this plugin should immediately assess exposure and implement compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 30, 2026 02:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations operating WordPress-based appointment systems—particularly in healthcare (clinics, hospitals), government services (Absher, GOSI), banking (customer service scheduling), and telecommunications—face exposure of sensitive customer data including names, contact information, appointment details, and potentially payment information. Healthcare providers and government agencies are at highest risk due to regulatory requirements under SAMA CSF and NCA ECC. Small and medium enterprises (SMEs) using Truebooker for customer scheduling are particularly vulnerable due to limited security monitoring.
🏢 Affected Saudi Sectors
Healthcare
Government Services
Banking and Financial Services
Telecommunications
Hospitality and Tourism
Education
Small and Medium Enterprises (SMEs)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all WordPress installations using Truebooker plugin versions ≤1.1.4 across your organization
2. Disable direct access to /wp-content/plugins/truebooker/views/ directory via .htaccess or web server configuration
3. Review access logs for suspicious direct requests to PHP view files (patterns: /views/*.php)
4. Assess what sensitive data may have been exposed through these files
Compensating Controls (until patch available):
5. Implement web application firewall (WAF) rules to block direct access to plugin view directories
6. Restrict plugin directory permissions to 755 (directories) and 644 (files)
7. Add HTTP headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY
8. Implement IP whitelisting for WordPress admin access
9. Deploy file integrity monitoring on plugin directories
10. Consider disabling the plugin if not actively used; migrate to alternative scheduling solutions
Detection Rules:
- Monitor for GET/POST requests to /wp-content/plugins/truebooker/views/*.php
- Alert on 200 responses from view files accessed without proper WordPress hooks
- Track failed authentication attempts followed by direct file access attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Truebooker بإصدارات ≤1.1.4 في جميع أنحاء المنظمة
2. تعطيل الوصول المباشر إلى دليل /wp-content/plugins/truebooker/views/ عبر .htaccess أو إعدادات خادم الويب
3. مراجعة سجلات الوصول للطلبات المريبة المباشرة إلى ملفات PHP (الأنماط: /views/*.php)
4. تقييم البيانات الحساسة التي قد تكون قد تعرضت من خلال هذه الملفات
الضوابط التعويضية (حتى توفر التصحيح):
5. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الوصول المباشر إلى أدلة المكونات
6. تقييد أذونات دليل المكون إلى 755 (الأدلة) و 644 (الملفات)
7. إضافة رؤوس HTTP: X-Content-Type-Options: nosniff, X-Frame-Options: DENY
8. تطبيق القائمة البيضاء للعناوين IP لوصول WordPress الإداري
9. نشر مراقبة سلامة الملفات على أدلة المكونات
10. النظر في تعطيل المكون إذا لم يكن قيد الاستخدام النشط؛ الهجرة إلى حلول جدولة بديلة
قواعد الكشف:
- مراقبة طلبات GET/POST إلى /wp-content/plugins/truebooker/views/*.php
- تنبيهات على استجابات 200 من ملفات العرض التي يتم الوصول إليها بدون خطافات WordPress المناسبة
- تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات الوصول المباشر إلى الملفات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.8.1.1 - Asset Management
A.12.2.1 - Change Management
A.13.1.1 - Information Security Incident Management
🔵 SAMA CSF
ID.AM-2: Software Inventory
PR.AC-1: Access Control Policy
PR.PT-2: Removable Media Protection
DE.CM-1: Network Monitoring
RS.MI-1: Incident Response Plan
🟡 ISO 27001:2022
A.5.1 - Management Direction
A.6.1 - Internal Organization
A.8.1 - Asset Inventory
A.12.2 - Change Management
A.13.1 - Information Security Incident Management
🟣 PCI DSS v4.0.1
Requirement 2.2.4 - Configure system security parameters
Requirement 6.2 - Ensure security patches installed
Requirement 11.2 - Run automated vulnerability scans