CVE-2026-3045

Summary

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound public_nonce is exposed to unauthenticated users through the public /wp-json/ssa/v1/embed-inner REST endpoint, and (2) the get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization (which accepts the public nonce) but does not call remove_unauthorized_settings_for_current_user() to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the /wp-json/ssa/v1/settings/{section} endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.

Affected Software

VendorProductVersion RangeStatus
croixhaugAppointment Booking Calendar — Simply Schedule Appointments Booking Plugin0 <= 1.6.9.29affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References