Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Appointment Booking Calendar plugin allows an unauthenticated attacker to call a bulk appointments REST API endpoint without proper authorization checks. This flaw lets the attacker modify any appointment record, changing fields such as customer PII, payment status, and meeting URLs. In addition, the endpoint’s response reveals full customer PII for all appointments, exposing sensitive data. The weakness maps to CWE-862: Missing Authorization

Affected Systems

WordPress sites running the croixhaug "Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin" with any version up to and including 1.6.11.8 are affected. Sites that include the [ssa_booking] shortcode expose a public static nonce that can be harvested by any visitor

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. Exploitation requires only that an attacker reach the REST endpoint, which can be accessed by any website visitor who has seen a page containing the shortcode. Because the nonce is static and public, no authentication or elevated privileges are required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 28, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointment Booking Calendar plugin to the latest version that contains an authorization check for the bulk appointments endpoint (currently unavailable, but vendors are expected to fix in future releases).
  • If an upgrade is not immediately possible, block or restrict access to the bulk appointments REST API endpoint on the WordPress site (e.g., via firewall rules or WP .htaccess restrictions) so that only trusted IPs or authenticated administrators can reach it.
  • Implement application logging and alerting to detect unauthorized modification attempts or abnormal bulk updates to appointment records.

Generated by OpenCVE AI on May 28, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication.
Title Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:31:56.999Z

Reserved: 2026-04-23T19:11:14.213Z

Link: CVE-2026-6937

cve-icon Vulnrichment

Updated: 2026-05-28T10:31:51.418Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:48.170

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-6937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:30:06Z

Weaknesses