CVE-2026-4807
Deferred Deferred - Pending Action
Missing Authorization in Appointment Booking Calendar WordPress Plugin

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: Wordfence

Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-27
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-26
NVD
CVE-2026-4807
EUVD
EUVD-2026-28236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
appointment_booking_calendar plugin to 1.6.10.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Appointment Booking Calendar plugin for WordPress has a vulnerability called Missing Authorization in versions up to 1.6.10.6. This happens because the plugin's authorization logic is flawed in the nonce_permissions_check() method. Specifically, the plugin exposes a site-wide reusable nonce (a security token) publicly through an endpoint accessible to anyone, even unauthenticated users.

When deleting appointments via certain API endpoints, the plugin checks for permissions using two headers: X-WP-Nonce and X-PUBLIC-Nonce. If the X-WP-Nonce is invalid, the plugin incorrectly falls back to validating only the X-PUBLIC-Nonce, which is publicly known and not user-specific. This allows attackers to bypass proper authorization.

As a result, unauthenticated attackers can view, delete, or modify any appointment in the system by exploiting this exposed public nonce.


How can this vulnerability impact me? :

This vulnerability can have several negative impacts:

  • Attackers can view sensitive appointment details, potentially exposing private information.
  • Attackers can delete arbitrary appointments, causing loss of booking records and disrupting services.
  • Attackers can modify appointments without authorization, leading to data integrity issues.

Overall, this can lead to data disclosure, service disruption, and loss of trust in the booking system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Appointment Booking Calendar plugin for WordPress is installed and running a version up to and including 1.6.10.6. Additionally, you can test for the presence of the exposed public_nonce by sending unauthenticated requests to the /wp-json/ssa/v1/embed-inner endpoint to see if the public_nonce value is returned.

To detect exploitation attempts or the vulnerability on your system, you can monitor HTTP requests to the following endpoints for suspicious activity:

  • /wp-json/ssa/v1/embed-inner (to check if public_nonce is exposed)
  • /wp-json/ssa/v1/appointments/{id}/delete
  • /wp-json/ssa/v1/appointments/bulk

Example commands to test the exposure of the public_nonce value:

  • curl -s https://your-wordpress-site.com/wp-json/ssa/v1/embed-inner | grep public_nonce

You can also monitor logs or use intrusion detection systems to flag requests containing both X-WP-Nonce and X-PUBLIC-Nonce headers targeting the deletion endpoints, especially if the X-WP-Nonce value is arbitrary or invalid.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Update the Appointment Booking Calendar plugin to a version later than 1.6.10.6 where the authorization logic flaw is fixed.
  • If an update is not immediately available, restrict access to the /wp-json/ssa/v1/embed-inner endpoint to authenticated users only or block unauthenticated access via web server rules or firewall.
  • Monitor and block suspicious requests that include both X-WP-Nonce and X-PUBLIC-Nonce headers targeting appointment deletion endpoints.
  • Consider temporarily disabling the Appointment Booking Calendar plugin if the risk is high and no patch is available.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to view, delete, or modify any appointment in the system, which can lead to the disclosure of sensitive appointment data and loss of booking records.

Such unauthorized access and data manipulation could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart