Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services.
Published: 2025-12-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the plugin's admin embed endpoint /wp-json/ssa/v1/embed-inner-admin, which can be accessed without authentication and returns configuration data such as staff names, business names, and in premium versions, API keys for external services. An unauthenticated attacker can send a simple HTTP request to retrieve this information, compromising the confidentiality of sensitive business configuration and potentially exposing credentials to integrated services.

Affected Systems

The vulnerability affects croixhaug's Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin on all WordPress installations running versions up to and including 1.6.9.16. Subsequent releases are not identified as vulnerable based on the current information.

Risk and Exploitability

This issue has a CVSS score of 5.3, indicating moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw simply by accessing the unauthenticated endpoint, which requires no special privileges or additional conditions.

Generated by OpenCVE AI on April 22, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simply Schedule Appointments Booking Plugin to the latest available version that contains the fix for the embed endpoint authorization.
  • If an update cannot be applied immediately, block or restrict access to /wp-json/ssa/v1/embed-inner-admin using a web application firewall or server access control so that unauthenticated requests are denied.
  • Check other plugin endpoints for similar missing authorization to prevent additional sensitive information exposure.

Generated by OpenCVE AI on April 22, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar
Wordpress
Wordpress wordpress

Fri, 19 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 19 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services.
Title Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:07.329Z

Reserved: 2025-11-26T19:11:33.301Z

Link: CVE-2025-13754

cve-icon Vulnrichment

Updated: 2025-12-19T18:47:46.643Z

cve-icon NVD

Status : Deferred

Published: 2025-12-19T07:16:00.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses