CVE-2026-2262
Sensitive Information Exposure in Easy Appointments WordPress Plugin
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| easy_appointments | easy_appointments | to 3.12.21 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Easy Appointments plugin for WordPress has a vulnerability in all versions up to and including 3.12.21. This vulnerability exists in the REST API endpoint `/wp-json/wp/v2/eablocks/ea_appointments/` because it is registered with a permission callback that always returns true, meaning no authentication or authorization is required to access it.
As a result, unauthenticated attackers can access this endpoint and extract sensitive customer appointment data such as full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive customer information. Attackers can obtain personal details including names, contact information, IP addresses, appointment details, and pricing data without any authentication.
Such exposure can result in privacy violations, loss of customer trust, potential identity theft, and could harm the reputation of the affected organization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. Exposure of such personal and sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personally identifiable information and sensitive health or appointment data.
Specifically, under GDPR, unauthorized disclosure of personal data can result in violations related to data confidentiality and integrity, potentially leading to fines and legal consequences. Similarly, HIPAA mandates safeguards to protect patient information, and exposure of appointment details and personal identifiers could constitute a breach.