CVE-2025-11723 is a vulnerability in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, identified as CWE-330 (Use of Insufficiently Random Values). The plugin relies on the PHP hash() function combined with a hardcoded fallback salt when a custom salt is not defined in the wp-config.php configuration file. This hardcoded salt reduces the entropy of generated tokens, making them predictable and reusable across different installations that have not set a unique salt. As a result, unauthenticated remote attackers can generate valid tokens to access sensitive booking information and perform unauthorized modifications to appointments. The vulnerability affects all versions up to and including 1.6.9.5. The attack requires no privileges or user interaction and can be executed remotely over the network. The weakness compromises confidentiality and integrity of booking data but does not affect availability. No patches or exploit code are currently publicly available, but the risk is significant for sites that have not customized their salt settings. This vulnerability highlights the critical importance of proper cryptographic practices and configuration management in WordPress plugins handling sensitive user data.

The impact of CVE-2025-11723 is primarily on the confidentiality and integrity of appointment booking data managed by the affected WordPress plugin. Attackers can gain unauthorized access to sensitive booking information, including customer details and appointment schedules, potentially leading to privacy violations and data leakage. Furthermore, the ability to modify booking information without authentication can disrupt business operations, cause scheduling conflicts, and damage customer trust. Organizations relying on this plugin for appointment management, especially those in healthcare, legal, education, or service industries, may face operational disruptions and reputational harm. Although availability is not directly affected, the indirect consequences of data manipulation and exposure can be severe. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the risk of widespread abuse, particularly on sites that have not set a custom salt. Without mitigation, attackers could automate token generation attacks across multiple vulnerable sites, amplifying the threat.

To mitigate CVE-2025-11723, organizations should immediately verify whether their WordPress installations using the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin have a custom salt defined in the wp-config.php file. Setting a unique, high-entropy salt value is critical to prevent token predictability. Administrators should add or update the SALT constant in wp-config.php with a securely generated random string. Additionally, plugin developers and site operators should monitor for plugin updates that address this vulnerability by removing reliance on hardcoded salts and implementing cryptographically secure random token generation methods. Until an official patch is released, restricting access to the plugin's booking endpoints via web application firewalls or IP whitelisting can reduce exposure. Regularly auditing plugin configurations and access logs for suspicious activity is recommended. Finally, educating site administrators on secure configuration practices and the risks of default cryptographic parameters can prevent similar vulnerabilities.