This vulnerability stems from a missing authorization check in the codepeople Appointment Booking Calendar plugin for WordPress. The plugin fails to enforce proper access controls, allowing an attacker to read, modify, or delete appointment data that should be restricted to privileged users. Because the weakness directly compromises confidentiality and integrity of booking information, an adversary could disrupt scheduling workflows or harvest sensitive user details.

All WordPress sites that have installed codepeople Appointment Booking Calendar version 1.3.95 or earlier are affected. The flaw is present across every release up through 1.3.95, so any site running the plugin without updating is vulnerable. The issue is tied to the plugin’s internal booking management interfaces and is unknown in later versions.

The recorded CVSS score of 5.4 reflects moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, further suggesting limited public exploitation. The likely attack vector is through HTTP/HTTPS traffic to the plugin’s booking‑management endpoints; based on the description, it is inferred that an attacker can trigger the missing access controls remotely by constructing requests to the affected URLs.