Description
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <= 2.7.6.
Published: 2025-12-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the Wappointment WordPress plugin permits attackers to bypass intended restriction safeguards and gain unauthorized access to sensitive plugin features. The vulnerability stems from incorrectly configured access control security levels, which effectively removes checks that should limit who can view or modify appointment data and configuration settings. Because the flaw is a direct omission of authentication enforcement, attackers could potentially read, modify, or delete appointment information, expose client data, or alter system settings, posing confidentiality and integrity risks to any site using the affected plugin.

Affected Systems

The issue affects the Wappointment plugin developed by the Wappointment team for WordPress, impacting all installations with versions 2.7.6 and earlier. Users running the plugin in those versions are at risk unless they upgrade or apply another fix.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1 %, implying a low probability of exploitation in the wild. It is not listed in CISA’s KEV catalog. The description does not explicitly state the attack vector. Based on the description, it is inferred that the vulnerability could be exploited via web interactions with the plugin’s administrative or front‑end interfaces. An attacker likely requires some level of prior access to the site, such as an authenticated user account, to interact with the plugin’s restricted endpoints.

Generated by OpenCVE AI on April 29, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wappointment plugin to the latest available release, which removes the missing authorization flaw.
  • Re‑evaluate user roles and capabilities associated with the plugin to enforce least‑privilege principles and prevent accidental over‑privileged access.
  • Configure web application firewalls or security plugins to monitor and block anomalous requests targeting plugin endpoints, and review logs for signs of unauthorized access attempts.

Generated by OpenCVE AI on April 29, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <=2.7.2. Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <= 2.7.6.
Title WordPress Wappointment plugin <=2.7.2 - Broken Access Control vulnerability WordPress Wappointment plugin <= 2.7.6 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <=2.7.2.
Title WordPress Wappointment plugin <=2.7.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.714Z

Reserved: 2025-12-19T10:17:34.321Z

Link: CVE-2025-68575

cve-icon Vulnrichment

Updated: 2025-12-24T18:51:14.526Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:24.540

Modified: 2026-04-27T19:16:32.227

Link: CVE-2025-68575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:15:16Z

Weaknesses