A vulnerability in the Easy!Appointments WordPress plugin permits a Cross‑Site Request Forgery (CSRF) attack, enabling an unauthenticated or low‑privilege attacker to change the plugin's configuration settings. The flaw is discovered in all releases up to 1.4.2 and is characterized by a missing or improper CSRF token check when processing settings updates, as described in the CVE description. This weakness corresponds to CWE‑352, a classic CSRF scenario. The impact is limited to the scope of the affected plugin's settings and does not provide direct host or database access, but the ability to alter booking rules, email templates, or other operational parameters could be leveraged to cause denial of service, unauthorized scheduling, or phishing attempts.

The affected product is the Easy!Appointments WordPress plugin developed by alextselegidis. All plugin versions through 1.4.2 are vulnerable. No additional vendor or system details are specified beyond the plugin itself.

The CVSS base score of 4.3 indicates a moderate risk, with the attack requiring the victim to visit a crafted URL while authenticated or to exploit a cross‑site request. The EPSS score of less than 1% suggests the probability of exploitation is very low, and the vulnerability is not listed in CISA's KEV catalog. In practice, an attacker would need to lure a site administrator or moderator to click a malicious link or embed a malicious form and rely on the user having editing rights. Because this is a CSRF flaw, no remote code execution or privilege escalation outside the WordPress installation is provided by the flaw itself.