Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

An authenticated attacker with at least Contributor-level access (the `edit_posts` capability) can send a crafted HTTP GET request to the WordPress admin area with `cpabc_calendar_load2=1` and an arbitrary `id` parameter. The `cpabc_appointments_calendar_load2()` function lacks per-calendar ownership checks, so the attacker can enumerate calendar IDs and extract sensitive booking data—including email addresses, names, phone numbers, booking times, and comments—from any calendar managed by the plugin. This is an authorization bypass / IDOR vulnerability.

The vulnerability resides in the `cpabc_appointments_calendar_load2()` function, which is hooked to `plugins_loaded` and reachable via the `cpabc_calendar_load2=1` query parameter in `wp-admin`. The function only checks `is_admin() && current_user_can('edit_posts')` without verifying that the authenticated user owns or is authorized to access the calendar specified by the `id` parameter. This affects all versions up to and including 1.4.01 of the Appointment Booking Calendar plugin for WordPress.

The patch is not included in the bundle, but the advisory indicates that the fix must add per-calendar ownership verification inside `cpabc_appointments_calendar_load2()` so that a user can only retrieve booking data for calendars they own or are explicitly authorized to manage. Without such a check, any authenticated user with `edit_posts` can access all calendars' customer information.