CVE-2025-11723 MEDIUM

CVE-2025-11723: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure

Vendor Croixhaug
Product Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Weakness CWE-330 · Insufficient randomness
Published January 6, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.

Explanation of Vulnerability in Simple Terms

02Summary

The Appointment Booking Calendar plugin contains a use of insufficiently random values (CWE-330) that allows an attacker to predict or brute-force sensitive tokens or identifiers. An unauthenticated attacker on the network can exploit this without user interaction to read or modify appointment data. Update to a version newer than 1.6.9.5.

What an attacker can do

03Attacker Capabilities

Predict or brute-force random tokens to read or modify appointment booking data without authentication.

Potential impact on your site

04Site Impact

Appointment data may be exposed or modified by unauthorized users; booking integrity is compromised.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 6, 2026 CVE published
April 8, 2026 Record updated