CVE-2026-42384

Vulnerability

An unauthenticated sensitive data exposure vulnerability exists in the Simply Schedule Appointments plugin for WordPress versions prior to 1.6.11.2. The flaw allows attackers to retrieve sensitive information without authentication, likely through exposed API endpoints or direct access to stored data. The vulnerability is present in all versions before 1.6.11.2 [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the affected plugin endpoints, requiring no authentication or user interaction. The exploit is straightforward and can be automated, making it suitable for mass exploitation campaigns [1].

Impact

Successful exploitation permits an unauthenticated attacker to view sensitive data that is normally restricted to authenticated users. This may include appointment details, personal information of clients, or other confidential data stored by the plugin. The exposure can be used to further compromise the system or target users [1].

Mitigation

Update the Simply Schedule Appointments plugin to version 1.6.11.2 or later, which contains the fix. If immediate update is not possible, Patchstack users can enable the provided mitigation rule to block attacks until the update is applied. No other workarounds are mentioned in the available reference [1].