CVE-2026-6937

Vulnerability

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress versions up to and including 1.6.11.8 fails to properly verify user authorization on the bulk appointments REST API endpoint. The plugin registers a /bulk route under the REST API namespace (see [4]) and uses the same permission callback as for creating a single item, which does not enforce authentication or capability checks. Additionally, the plugin uses a static, user-independent nonce value present in the HTML source of any page hosting the [ssa_booking] shortcode, making it trivial for any visitor to obtain the nonce and craft requests.

Exploitation

An unauthenticated attacker can obtain the static nonce by viewing any page that includes the booking shortcode. With this nonce, the attacker can send crafted HTTP requests to the bulk appointments REST API endpoint (e.g., POST /wp-json/ssa/v1/appointments/bulk) without any authentication. The endpoint accepts an array of appointment IDs and fields to update, allowing the attacker to modify arbitrary appointment records or retrieve full customer PII from the response.

Impact

Successful exploitation allows an attacker to read and modify any appointment record in the system. This includes exposure of customer personally identifiable information (PII) such as names, email addresses, phone numbers, and custom fields, as well as modification of payment status, meeting URLs, and other appointment details. The attacker gains unauthorized access to sensitive data and can disrupt appointment scheduling operations.

Mitigation

The vendor has not yet released a patched version as of the publication date (2026-05-28). Users should disable the plugin or restrict access to the REST API endpoint via web application firewall rules or custom code until a fix is available. The affected versions are all up to 1.6.11.8. No workaround is provided in the references.