Description
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
Published: 2026-01-15
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation through CSRF leading to administrative takeover
Action: Patch Immediately
AI Analysis

Impact

Easy!Appointments 1.5.2 and earlier contain a flaw where CSRF verification is only applied to POST requests, while several endpoints that alter state accept parameters from GET or $_REQUEST. The flaw allows an attacker to craft GET requests that are processed as state‑changing actions, enabling the creation of new admin accounts, modification of admin credentials, and full takeover of administrative sessions. This deficiency maps to CWE‑352, a missing or improper protection against Cross‑Site Request Forgery.

Affected Systems

The product affected is Easy!Appointments (easy!appointments) version 1.5.2 and all earlier releases. The vulnerability resides in the core file EA_Security.php, where CSRF checks are skipped for non‑POST methods.

Risk and Exploitability

The CVSS score is 7.4, indicating a high severity for privilege escalation. The EPSS score is listed as <1%, implying a low current exploitation probability, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a web‑browser CSRF, where a malicious site or email links a victim to a crafted GET request targeting the vulnerable endpoint. Once a victim's authenticated session is used to visit the URL, the state‑changing operation executes without a CSRF token, granting the attacker administrative privileges. The impact is limited to the affected Easy!Appointments instance, but the consequences are significant due to full admin takeover.

Generated by OpenCVE AI on April 18, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy!Appointments to the latest available version, which applies CSRF checks to all state‑changing actions.
  • If an upgrade is not immediately possible, configure the web server or application routing to disallow GET (and other non‑POST) requests to the endpoints that perform administrative changes, ensuring they only respond to authenticated POST requests with valid CSRF tokens.
  • Validate all incoming requests to sensitive endpoints to enforce that the HTTP method is POST and that a valid anti‑CSRF token is present before processing, thereby restoring protection against cross‑site request forgery.

Generated by OpenCVE AI on April 18, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-54v4-4685-vwrj alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass
History

Wed, 28 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Easyappointments
Easyappointments easy\!appointments
CPEs cpe:2.3:a:easyappointments:easy\!appointments:*:*:*:*:*:-:*:*
Vendors & Products Easyappointments
Easyappointments easy\!appointments
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Alextselegidis
Alextselegidis easyappointments
Vendors & Products Alextselegidis
Alextselegidis easyappointments

Thu, 15 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
Title CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Alextselegidis Easyappointments
Easyappointments Easy\!appointments
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T21:34:43.098Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23622

cve-icon Vulnrichment

Updated: 2026-01-15T21:34:14.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T20:16:05.773

Modified: 2026-01-28T17:33:55.673

Link: CVE-2026-23622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses