Description
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows unauthenticated users to retrieve sensitive plugin settings through the WordPress REST API. Because the plugin’s settings endpoint accepts a nonce that is not user-bound and fails to filter restricted fields, an attacker can read the administrator email, phone number, internal access tokens, notification configurations, and developer settings. This disclosure of confidential information may enable further malicious actions such as modifying or canceling appointments and abusing internal tokens. The weakness corresponds to Missing Authorization (CWE‑862).

Affected Systems

All WordPress installations running the Appointment Booking Calendar — Simply Schedule Appointments plugin version 1.6.9.29 or earlier are affected. This applies to the plugin product disclosed by croixhaug.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it via unauthenticated network requests to the /wp-json/ssa/v1/settings/{section} endpoint using a publicly exposed nonce. The absence of a user check means any visitor of the site’s REST API can gain the exposed data, making the attack vector straightforward for remote unauthenticated attackers.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointment Booking Calendar plugin to the latest release (after version 1.6.9.29).
  • If an upgrade is not immediately possible, block or restrict access to the /wp-json/ssa/v1/settings/* and /wp-json/ssa/v1/embed-inner endpoints using web server rules or a firewall filter.
  • Verify that sensitive data such as internal tokens are removed from the plugin’s configuration or stored in a less accessible location.

Generated by OpenCVE AI on March 19, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
Title Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:49.064Z

Reserved: 2026-02-23T17:29:24.802Z

Link: CVE-2026-3045

cve-icon Vulnrichment

Updated: 2026-03-13T16:06:54.004Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:10.307

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-3045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:44Z

Weaknesses