CVE-2025-11723
Unknown Unknown - Not Provided
Sensitive Information Exposure in Simply Schedule Appointments Plugin

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description
The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11723
EUVD
EUVD-2026-1093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simply_schedule_appointments simply_schedule_appointments_booking_plugin to 1.6.9.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress (up to version 1.6.9.5) where a hardcoded fall-back salt is used in the hash() function. Because of this, unauthenticated attackers can generate valid tokens across sites running the plugin that have not manually set a salt in the wp-config.php file. This allows attackers to access booking information and potentially make unauthorized modifications. [1]

Impact Analysis

The vulnerability can allow unauthenticated attackers to access sensitive booking information and make unauthorized changes to appointments. This could lead to privacy breaches, manipulation of booking data, and potential disruption of appointment scheduling on affected WordPress sites. [1]

Detection Guidance

You can detect this vulnerability by checking the version of the Simply Schedule Appointments Booking Plugin installed on your WordPress site. Versions up to and including 1.6.9.5 are vulnerable. Specifically, look for the use of the hardcoded fallback salt in the hash() function. Since the vulnerability involves token generation using a hardcoded salt, you might also monitor for unauthorized access attempts to booking information or modifications. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Simply Schedule Appointments Booking Plugin to version 1.6.9.6 or later. This update replaces the insecure hash() function usage with a site-unique hash, removes deprecated hashing code, and fixes related security issues. Additionally, ensure that a unique salt is set manually in the wp-config.php file to prevent fallback to the hardcoded salt. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart