CVE-2026-9188
Received Received - Intake

Insecure Direct Object Reference in Wappointment WordPress Plugin

Vulnerability report for CVE-2026-9188, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointment `edit_key` β€” the sole authorization token consumed by `tryCancel()` β€” being generated as a predictable, unsalted MD5 hash of only `client_id` (a sequential integer), `start_at` (a publicly observable appointment timestamp), and `staff_id` (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid `edit_key` values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim's key by booking their own appointment to observe their sequential `client_id` and correlating publicly visible appointment times and enumerable staff identifiers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wappointment appointment_bookings to 2.7.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to 2.7.6. This happens because the authorization token used to edit or cancel appointments, called the edit_key, is generated using a predictable and unsalted MD5 hash of only three values: client_id (a sequential number), start_at (a publicly visible appointment time), and staff_id (a small enumerable number). There is no secret or random component in this key.

Because the cancellation and rescheduling REST endpoints do not verify ownership or identity beyond matching this predictable key, an attacker can calculate valid edit_key values for other users' appointments. This allows the attacker to cancel or reschedule appointments without authentication.

To exploit this, the site must have either the allow_cancellation or allow_rescheduling setting enabled, which are common configurations. An attacker can book their own appointment to learn the sequential client_id and observe public appointment times and staff IDs to reconstruct another user's edit_key.

Impact Analysis

This vulnerability allows unauthenticated attackers to cancel or reschedule appointments belonging to other users arbitrarily. This can disrupt business operations, cause loss of trust from customers, and lead to scheduling chaos.

Since attackers can manipulate appointments without authorization, it may result in denial of service for legitimate users and potential reputational damage for the organization using the plugin.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart