CVE-2026-3045
Description
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound public_nonce is exposed to unauthenticated users through the public /wp-json/ssa/v1/embed-inner REST endpoint, and (2) the get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization (which accepts the public nonce) but does not call remove_unauthorized_settings_for_current_user() to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the /wp-json/ssa/v1/settings/{section} endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.6.9.29
- Range: <=1.6.9.29
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-bootstrap.phpnvd
- plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-settings-api.phpnvd
- plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-api-model.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5nvd
News mentions
0No linked articles in our index yet.