CVE-2026-3045 HIGH

CVE-2026-3045: Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint

Vendor Croixhaug
Product Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Weakness CWE-862 · Missing authorization
Published March 13, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.

Explanation of Vulnerability in Simple Terms

02Summary

The Simply Schedule Appointments Booking Plugin for WordPress does not properly check user permissions before allowing access to sensitive appointment data. An unauthenticated attacker can read appointment details, including customer names, email addresses, phone numbers, and booking information, without logging in or having any special access.

What an attacker can do

03Attacker Capabilities

Read appointment data including customer names, emails, phone numbers, and booking details without authentication.

Potential impact on your site

04Site Impact

Customer appointment records and contact information are exposed to anyone on the internet.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 13, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-5953 WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action CVE-2026-34886 WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability CVE-2024-38733 WordPress Meks Video Importer plugin <= 1.0.12 - Broken Access Control vulnerability CVE-2026-25321 WordPress SupportCandy plugin <= 3.4.4 - Broken Access Control vulnerability CVE-2025-1214 pihome-shc PiHome Role-Based Access Control user_accounts.php authorization