CVE-2026-1704
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the get_item_permissions_check method granting access to users with the ssa_manage_appointments capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.6.9.29
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.phpnvd
- plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.phpnvd
- plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.phpnvd
- plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/c82f3864-13af-4ff6-824a-4c799a98f3f6nvd
News mentions
0No linked articles in our index yet.