The Easy Appointments plugin, version 3.12.21 and earlier, contains an unauthenticated broken access control flaw that allows a malicious actor to perform privileged operations within the plugin. Because no authentication or proper permission checks are enforced, an attacker can abuse exposed endpoints to create, edit, or delete appointments and other sensitive data. This flaw directly exposes confidentiality and integrity of scheduling information and can be leveraged to disrupt or manipulate appointment workflows.

WordPress installations that are running Easy Appointments plugin v3.12.21 or earlier are impacted. The vulnerability exists across all installations of this plugin that have not been updated to v3.12.22 or later. Sites that rely on the plugin for booking functionality are therefore at risk.

The CVSS score of 7.5 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests that current exploitation activity is low. The flaw is not listed in the CISA KEV catalog. The likely attack vector is through unauthenticated HTTP requests to the plugin’s API or administrative endpoints; based on this vulnerability description, it is inferred that any user can send crafted requests to the plugin without authenticating. Because the flaw allows direct access to privileged operations, the potential impact is significant, yet the low EPSS percentage indicates that actual exploitation may be limited at present.