Description
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appointments admin page, which is itself gated only by the edit_posts capability that Authors possess, making the nonce readily accessible to low-privileged users.
Published: 2026-07-10
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Easyappointments
Easyappointments easy!appointments
Wordpress
Wordpress wordpress
Vendors & Products Easyappointments
Easyappointments easy!appointments
Wordpress
Wordpress wordpress

Fri, 10 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appointments admin page, which is itself gated only by the edit_posts capability that Authors possess, making the nonce readily accessible to low-privileged users.
Title Easy Appointments <= 3.12.27 - Missing Authorization to Authenticated (Author+) Bulk Appointment Manipulation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Easyappointments Easy!appointments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-10T07:48:45.416Z

Reserved: 2026-06-11T14:53:51.026Z

Link: CVE-2026-11992

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T11:00:04Z

Weaknesses