CVE-2025-11723: CWE-330 Use of Insufficiently Random Values in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
AI Analysis
Technical Summary
CVE-2025-11723 is a vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress caused by the use of a hardcoded fallback salt in the hash() function. This insufficient randomness (CWE-330) enables unauthenticated attackers to generate valid tokens across sites running affected plugin versions that have not configured a unique salt in wp-config.php. Exploitation allows access to sensitive booking information and the ability to modify bookings. The vulnerability affects all versions up to and including 1.6.9.5. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can generate valid authentication tokens without credentials on affected sites that have not set a custom salt, leading to sensitive information exposure and unauthorized modification of booking data. This compromises confidentiality and integrity of appointment bookings but does not affect availability. The CVSS score of 6.5 reflects a medium severity impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, site administrators should manually set a unique salt value in the wp-config.php file to prevent use of the hardcoded fallback salt. Monitoring vendor communications for updates or patches is recommended.
CVE-2025-11723: CWE-330 Use of Insufficiently Random Values in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11723 is a vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress caused by the use of a hardcoded fallback salt in the hash() function. This insufficient randomness (CWE-330) enables unauthenticated attackers to generate valid tokens across sites running affected plugin versions that have not configured a unique salt in wp-config.php. Exploitation allows access to sensitive booking information and the ability to modify bookings. The vulnerability affects all versions up to and including 1.6.9.5. No patch or official fix information is provided in the available data.
Potential Impact
An attacker can generate valid authentication tokens without credentials on affected sites that have not set a custom salt, leading to sensitive information exposure and unauthorized modification of booking data. This compromises confidentiality and integrity of appointment bookings but does not affect availability. The CVSS score of 6.5 reflects a medium severity impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, site administrators should manually set a unique salt value in the wp-config.php file to prevent use of the hardcoded fallback salt. Monitoring vendor communications for updates or patches is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-13T20:37:05.956Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695c838f3839e44175cef8db
Added to database: 1/6/2026, 3:37:51 AM
Last enriched: 4/9/2026, 9:07:44 AM
Last updated: 5/8/2026, 2:01:33 PM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.