What the vulnerability does
01Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.
Explanation of Vulnerability in Simple Terms
02Summary
QuickCal allows authenticated users to read sensitive information they should not have access to. The vulnerability exists in versions up to 1.0.15 and requires a valid WordPress user account to exploit. Site administrators should update the plugin immediately to prevent unauthorized data disclosure.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the plugin that should be restricted to other users.
Potential impact on your site
04Site Impact
User data or appointment information may be exposed to authenticated users who should not see it.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with at least low-level privileges.
Key dates
06Disclosure timeline
May 16, 2025
CVE published
April 28, 2026
Record updated