What the vulnerability does
01Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.
Explanation of Vulnerability in Simple Terms
02Summary
A low-privilege user can read sensitive information from the Appointment Booking Calendar plugin through a network request. The vulnerability requires a logged-in account but no additional user interaction. Affected versions are 1.6.9.29 and earlier. Update to a version newer than 1.6.9.29.
What an attacker can do
03Attacker Capabilities
Read sensitive information accessible to low-privilege users via network requests.
Potential impact on your site
04Site Impact
Logged-in users with low privileges can access data they shouldn't see; confidentiality risk.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; no user interaction required.
Key dates
06Disclosure timeline
March 13, 2026
CVE published
April 8, 2026
Record updated