Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.
Published: 2026-06-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Appointment Booking Calendar plugin for WordPress contains a flaw that allows an authenticated user with Contributor-level permissions or higher to retrieve customer booking details by supplying a calendar identifier. The vulnerability originates from an authorization bypass: the cpabc_appointments_calendar_load2() handler only verifies is_admin() and the capability edit_posts, ignoring the ownership of individual calendars. Because this check is too permissive, any contributor can ask for the contents of any calendar managed by the plugin and view email addresses, names, phone numbers, booking times and comments. The result is sensitive information exposure affecting confidentiality for all users with access to booking data.

Affected Systems

Any WordPress site that has installed the Appointment Booking Calendar plugin by codepeople up to and including version 1.4.01 is impacted. Sites using earlier or later releases are not affected.

Risk and Exploitability

CVSS base score of 4.3 indicates a moderate threat, with an EPSS score below 1% signaling a low probability of exploitation at this time. The weakness is not listed in CISA KEV. Attacking requires only a valid user account with the edit_posts capability; no remote code execution or privilege escalation is needed. The exploit path is straightforward: a contributor user can append the cpabc_calendar_load2=1 and id parameters to a WP‑admin URL, causing the plugin to return booking data for the specified calendar.

Generated by OpenCVE AI on June 18, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointment Booking Calendar plugin to the latest version (≥1.4.02).
  • If an immediate upgrade is not possible, temporarily disable or remove the plugin until a patched release is available.
  • Reevaluate Contributor or editor role permissions and consider revoking the edit_posts capability for users who only need to publish content.

Generated by OpenCVE AI on June 18, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople appointment Booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople appointment Booking Calendar
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.
Title Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Codepeople Appointment Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T12:42:19.850Z

Reserved: 2026-06-12T14:40:58.131Z

Link: CVE-2026-12111

cve-icon Vulnrichment

Updated: 2026-06-18T12:42:15.987Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor