CVE-2025-11723
Unknown Unknown - Not Provided

Sensitive Information Exposure in Simply Schedule Appointments Plugin

Vulnerability report for CVE-2025-11723, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
simply_schedule_appointments simply_schedule_appointments_booking_plugin to 1.6.9.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress (up to version 1.6.9.5) where a hardcoded fall-back salt is used in the hash() function. Because of this, unauthenticated attackers can generate valid tokens across sites running the plugin that have not manually set a salt in the wp-config.php file. This allows attackers to access booking information and potentially make unauthorized modifications. [1]

Impact Analysis

The vulnerability can allow unauthenticated attackers to access sensitive booking information and make unauthorized changes to appointments. This could lead to privacy breaches, manipulation of booking data, and potential disruption of appointment scheduling on affected WordPress sites. [1]

Detection Guidance

You can detect this vulnerability by checking the version of the Simply Schedule Appointments Booking Plugin installed on your WordPress site. Versions up to and including 1.6.9.5 are vulnerable. Specifically, look for the use of the hardcoded fallback salt in the hash() function. Since the vulnerability involves token generation using a hardcoded salt, you might also monitor for unauthorized access attempts to booking information or modifications. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Simply Schedule Appointments Booking Plugin to version 1.6.9.6 or later. This update replaces the insecure hash() function usage with a site-unique hash, removes deprecated hashing code, and fixes related security issues. Additionally, ensure that a unique salt is set manually in the wp-config.php file to prevent fallback to the hardcoded salt. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart