What the vulnerability does
01Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
Explanation of Vulnerability in Simple Terms
02Summary
The Appointment Booking Calendar plugin contains a use of insufficiently random values (CWE-330) that allows an attacker to predict or brute-force sensitive tokens or identifiers. An unauthenticated attacker on the network can exploit this without user interaction to read or modify appointment data. Update to a version newer than 1.6.9.5.
What an attacker can do
03Attacker Capabilities
Predict or brute-force random tokens to read or modify appointment booking data without authentication.
Potential impact on your site
04Site Impact
Appointment data may be exposed or modified by unauthorized users; booking integrity is compromised.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 6, 2026
CVE published
April 8, 2026
Record updated