The vulnerability involves missing authorization checks in the NSquared Simply Schedule Appointments plugin. This is a broken access control weakness (CWE-862) where access control settings are incorrectly configured, enabling an attacker to exploit the plugin’s security layers and perform actions that should be restricted, such as viewing or modifying appointment data. This broken access control can lead to unauthorized disclosure of sensitive scheduling information and potential tampering of appointment records, undermining both confidentiality and integrity.

All installations of WordPress that use the NSquared Simply Schedule Appointments plugin with a version of 1.6.9.15 or earlier are affected. The issue applies to all releases from the earliest available version through to 1.6.9.15, with no lower bound specified. Administrators of WordPress sites deploying this plugin should verify their current version and plan for remediation.

The CVSS score of 6.5 indicates a moderate impact and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, meaning no known public exploits are reported. Based on the description, the likely attack vector is inferred to involve interacting with the WordPress environment, specifically through the plugin’s administrative interface using an authenticated user or a role that grants excessive permissions. If an attacker can reach the plugin’s administrative interface, they could elevate privileges or access sensitive appointment data.