CVE-2026-6937
Missing Authorization in Appointment Booking Calendar WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simply_schedule_appointments | appointment_booking_calendar | to 1.6.11.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access and modify sensitive customer information, including personally identifiable information (PII), payment status, and meeting URLs. Exposure and unauthorized modification of such data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and payment information.
Specifically, the ability to expose full customer PII and alter appointment records without authorization violates principles of data confidentiality and integrity mandated by these standards.
Can you explain this vulnerability to me?
The vulnerability exists in the Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin for WordPress, affecting all versions up to and including 1.6.11.8. It is caused by missing authorization checks in the bulk appointments REST API endpoint, which means the plugin does not properly verify if a user is authorized to perform certain actions.
Because of this, unauthenticated attackers can modify arbitrary appointment records, including sensitive fields such as customer personally identifiable information (PII), payment status, and meeting URLs. Additionally, attackers can expose full customer PII from existing appointment records by exploiting the bulk endpoint response.
The vulnerability is worsened by the use of a public nonce that is static and user-independent, embedded in the HTML source of any page hosting the [ssa_booking] shortcode. This allows any visitor who has viewed such a page to obtain the nonce and target any appointment in the system without needing to authenticate.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized modification of appointment records, which may lead to data integrity issues.
Attackers can alter sensitive information such as customer PII, payment status, and meeting URLs, potentially causing financial and reputational damage.
Moreover, attackers can access and expose full customer PII from existing appointments, leading to privacy breaches and potential misuse of personal data.