Description
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.
Published: 2026-02-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated access to privileged plugin functions
Action: Update Plugin
AI Analysis

Impact

The vulnerability is caused by missing authorization checks in the Vertim Schedula Smart Appointment Booking plugin for WordPress. This broken access control allows an unauthenticated or low‑privileged user to invoke functionality that is intended for administrators. The result is unauthorized access to protected plugin features. The weakness is identified as CWE‑862. The CVE description does not detail the precise data or functions exposed, so the exact confidentiality, integrity or availability impact remains unclear, but typical implications of such flaws include unauthorized viewing or modification of appointment data or configuration settings.

Affected Systems

The flaw exists in all releases of the Vertim Schedula plugin up to and including version 1.0. Any WordPress site that has installed this plugin during that period is potentially affected.

Risk and Exploitability

The CVSS score of 5.9 places the flaw in the moderate risk range. The EPSS score is less than 1%, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The description does not specify the exact attack vector, but the plugin’s functionality is accessed via the WordPress web interface, implying that an attacker could potentially exploit the flaw remotely over HTTP. Because the issue is a missing authorization check, the exploitation requires only that the attacker can reach the plugin’s endpoints and that the plugin does not enforce role checks before processing requests.

Generated by OpenCVE AI on April 28, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vertim Schedula Smart Appointment Booking plugin to the latest version that includes the missing authorization fix.
  • If an upgrade is not possible, remove or deactivate the plugin from the site to eliminate the vulnerable code.
  • Restrict access to the plugin’s administrative endpoints by configuring WordPress user roles so that only trusted administrators retain capabilities such as editing appointments or accessing configuration settings.
  • Monitor for abnormal requests to the plugin’s endpoints and consider disabling or restricting remote access to the WordPress admin area (e.g., via IP whitelisting or 2‑factor authentication) until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vertim
Vertim schedula
Wordpress
Wordpress wordpress
Vendors & Products Vertim
Vertim schedula
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.
Title WordPress Schedula plugin <= 1.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Vertim Schedula
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:24.929Z

Reserved: 2025-12-15T10:00:28.856Z

Link: CVE-2025-67970

cve-icon Vulnrichment

Updated: 2026-02-24T21:57:05.332Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:03.150

Modified: 2026-04-27T18:16:51.870

Link: CVE-2025-67970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses