Description
Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.10.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

A missing authorization flaw, identified as CWE-862, allows an attacker to bypass controls in the NSquared Simply Schedule Appointments plugin for WordPress. The vulnerability permits read or alteration of appointment data that should be protected, compromising confidentiality and integrity of scheduling information.

Affected Systems

WordPress sites running the Simply Schedule Appointments plugin version 1.6.10.2 or earlier are affected, including all earlier releases.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while an EPSS score of less than 1% reflects a low likelihood of current exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, reducing concerns about active exploitation. Likely attack vectors involve web requests to plugin endpoints that lack proper authorization checks, but specific exploitation steps are not detailed in the advisory and are inferred from the description.

Generated by OpenCVE AI on April 8, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the installed Simply Schedule Appointments plugin version on your WordPress site.
  • Download and install the latest plugin release, which removes the broken access‑control flaw.
  • Verify the update by attempting to access restricted plugin functions as an unprivileged user; they should now be denied.
  • If the plugin cannot be updated immediately, deactivate it to disable the vulnerable functionality until the patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nsquared
Nsquared simply Schedule Appointments
Wordpress
Wordpress wordpress
Vendors & Products Nsquared
Nsquared simply Schedule Appointments
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.10.2.
Title WordPress Simply Schedule Appointments plugin <= 1.6.10.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Nsquared Simply Schedule Appointments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.096Z

Reserved: 2026-04-07T10:58:16.464Z

Link: CVE-2026-39694

cve-icon Vulnrichment

Updated: 2026-04-08T14:31:27.094Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:41.783

Modified: 2026-04-29T10:17:41.387

Link: CVE-2026-39694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:26Z

Weaknesses