CVE-2026-39694

The Simply Schedule Appointments plugin for WordPress (versions ≤ 1.6.10.2) contains a missing authorization vulnerability (CVE-2026-39694). The root cause is that certain functions lack proper access control checks or nonce tokens, allowing unauthenticated or low-privileged users to perform actions reserved for higher-privileged roles [1].

The vulnerability can be exploited without authentication by sending crafted requests to the affected endpoints. No previous user interaction or special configuration is required — the attack surface is broad, as the plugin is widely deployed, and similar issues are leveraged in mass-exploit campaigns targeting thousands of sites regardless of traffic or popularity [1].

A successful exploit could allow an attacker to modify appointments, access sensitive schedule data, or escalate privileges within a WordPress site. While the CVSS score (5.3, Medium) indicates a low severity, the simplicity of exploitation and the potential for automation make timely patching important [1].

The vendor released version 1.6.11.1, which resolves the issue. Users are advised to update immediately or enable auto-updates. For those unable to update, hosting provider assistance is recommended [1].