CVE-2026-39513

Vulnerability

The Easy Appointments plugin for WordPress versions 3.12.21 and earlier suffers from an unauthenticated broken access control vulnerability [1]. The issue resides in missing authorization, authentication, or nonce token checks in certain functions, making the privileged code path reachable without any prior authentication [1].

Exploitation

An attacker with network access to a WordPress site running a vulnerable version can directly invoke the unprotected functions without requiring any authentication, user interaction, or special privileges [1]. The attack does not depend on any race window or specific configuration beyond having the plugin installed and active. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute higher-privileged actions normally restricted to authorized users, effectively bypassing access controls. This could lead to unauthorized information disclosure, data modification, or other privileged operations depending on the affected functionality [1]. The overall impact is rated with a CVSS v3 score of 7.5 (High) [1].

Mitigation

The vulnerability is fixed in version 3.12.22 [1]. Users are advised to update to this version or later immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until a patch is applied; contacting a hosting provider or web developer for assistance is also recommended [1].