Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Upgrade Plugin
AI Analysis

Impact

The vulnerability is an insecure direct object reference that allows authenticated users with the ssa_manage_appointments capability to extract appointment records belonging to other staff members. This results in disclosure of personally identifiable customer information. The weakness is identified as CWE-639 "Authorization Bypass Through User Controlled Key". Key detail from vendor description: "The get_item_permissions_check method grants access to users with the ssa_manage_appointments capability without validating staff ownership of the requested appointment."

Affected Systems

The issue affects the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, versions up to and including 1.6.9.29, distributed by croixhaug. Any installation running those versions is susceptible.

Risk and Exploitability

The CVSS v3.1 base score is 4.3 indicating medium severity. EPSS is below 1%, suggesting low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess the ssa_manage_appointments capability, which is typically granted to team members or staff. Since the scope is limited to the capability access, the risk is mitigated if role permissions are strictly enforced, but at present the vulnerability can be exploited by any user with that role to read other staff's appointments.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointment Booking Calendar plugin to the latest version where the permission check has been fixed.
  • Verify that the ssa_manage_appointments capability is assigned only to users who legitimately need it.
  • Use role management tools to monitor any changes to capability assignments.
  • If a patch is not immediately available, consider disabling the Appointment Booking Calendar plugin for users without the ssa_manage_appointments capability until a fix is applied.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.
Title Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:06:31.251Z

Reserved: 2026-01-30T15:37:58.974Z

Link: CVE-2026-1704

cve-icon Vulnrichment

Updated: 2026-03-13T16:06:26.102Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:53:58.680

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-1704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:44Z

Weaknesses