CVE-2026-2262
Received Received - Intake

Sensitive Information Exposure in Easy Appointments WordPress Plugin

Vulnerability report for CVE-2026-2262, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: Wordfence

Description

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
easy_appointments easy_appointments to 3.12.21 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. Exposure of such personal and sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personally identifiable information and sensitive health or appointment data.

Specifically, under GDPR, unauthorized disclosure of personal data can result in violations related to data confidentiality and integrity, potentially leading to fines and legal consequences. Similarly, HIPAA mandates safeguards to protect patient information, and exposure of appointment details and personal identifiers could constitute a breach.

Executive Summary

The Easy Appointments plugin for WordPress has a vulnerability in all versions up to and including 3.12.21. This vulnerability exists in the REST API endpoint `/wp-json/wp/v2/eablocks/ea_appointments/` because it is registered with a permission callback that always returns true, meaning no authentication or authorization is required to access it.

As a result, unauthenticated attackers can access this endpoint and extract sensitive customer appointment data such as full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive customer information. Attackers can obtain personal details including names, contact information, IP addresses, appointment details, and pricing data without any authentication.

Such exposure can result in privacy violations, loss of customer trust, potential identity theft, and could harm the reputation of the affected organization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart