CVE-2026-2262
Received Received - Intake
Sensitive Information Exposure in Easy Appointments WordPress Plugin

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: Wordfence

Description
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2262
EUVD
EUVD-2026-23577
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
easy_appointments easy_appointments to 3.12.21 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. Exposure of such personal and sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personally identifiable information and sensitive health or appointment data.

Specifically, under GDPR, unauthorized disclosure of personal data can result in violations related to data confidentiality and integrity, potentially leading to fines and legal consequences. Similarly, HIPAA mandates safeguards to protect patient information, and exposure of appointment details and personal identifiers could constitute a breach.

Executive Summary

The Easy Appointments plugin for WordPress has a vulnerability in all versions up to and including 3.12.21. This vulnerability exists in the REST API endpoint `/wp-json/wp/v2/eablocks/ea_appointments/` because it is registered with a permission callback that always returns true, meaning no authentication or authorization is required to access it.

As a result, unauthenticated attackers can access this endpoint and extract sensitive customer appointment data such as full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive customer information. Attackers can obtain personal details including names, contact information, IP addresses, appointment details, and pricing data without any authentication.

Such exposure can result in privacy violations, loss of customer trust, potential identity theft, and could harm the reputation of the affected organization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart