CVE-2026-3045
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound public_nonce is exposed to unauthenticated users through the public /wp-json/ssa/v1/embed-inner REST endpoint, and (2) the get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization (which accepts the public nonce) but does not call remove_unauthorized_settings_for_current_user() to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the /wp-json/ssa/v1/settings/{section} endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | 0 <= 1.6.9.29 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5?source=cve
- https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-settings-api.php#L128
- https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-api-model.php#L361
- https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-bootstrap.php#L151
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=#file0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.