CVE-2026-1704 MEDIUM

CVE-2026-1704: Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure

Vendor Croixhaug
Product Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Weakness CWE-639 · IDOR
Published March 13, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.

Explanation of Vulnerability in Simple Terms

02Summary

A low-privilege user can read sensitive information from the Appointment Booking Calendar plugin through a network request. The vulnerability requires a logged-in account but no additional user interaction. Affected versions are 1.6.9.29 and earlier. Update to a version newer than 1.6.9.29.

What an attacker can do

03Attacker Capabilities

Read sensitive information accessible to low-privilege users via network requests.

Potential impact on your site

04Site Impact

Logged-in users with low privileges can access data they shouldn't see; confidentiality risk.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site; no user interaction required.

Key dates

06Disclosure timeline

March 13, 2026 CVE published
April 8, 2026 Record updated