CVE-2025-13754 identifies a missing authorization vulnerability (CWE-862) in the Simply Schedule Appointments Booking Plugin for WordPress, specifically in the admin embed endpoint located at /wp-json/ssa/v1/embed-inner-admin. This endpoint is exposed without any authentication mechanism, allowing unauthenticated remote attackers to retrieve sensitive configuration data. The leaked information includes staff names, business names, and other plugin settings that are not publicly displayed on the booking form, thereby constituting sensitive information exposure. In premium versions of the plugin, where integrations with external services are configured, the vulnerability can also expose API keys, which could be leveraged to access or manipulate connected third-party services. The vulnerability affects all versions up to and including 1.6.9.16. The attack vector is network-based with low complexity, requiring no privileges or user interaction, making it accessible to any unauthenticated attacker who can reach the WordPress REST API endpoint. Although no active exploits have been reported, the exposure of sensitive business data and API keys could facilitate reconnaissance, social engineering, or further compromise of integrated services. The CVSS v3.1 base score is 5.3, indicating a medium severity primarily due to confidentiality impact without affecting integrity or availability. The vulnerability highlights the importance of proper authorization checks on REST API endpoints in WordPress plugins, especially those handling sensitive business data and integrations.

For European organizations, the exposure of sensitive business configuration data such as staff and business names can lead to privacy violations and reputational damage, especially under GDPR regulations which mandate protection of personal and business data. The leakage of API keys in premium versions poses a higher risk, as attackers could misuse these keys to access external services, potentially leading to data breaches, unauthorized transactions, or service disruptions. Organizations relying on this plugin for appointment scheduling may face operational risks if attackers leverage exposed information for targeted phishing or social engineering attacks. The vulnerability does not directly impact system integrity or availability, but the indirect consequences of compromised API keys and sensitive data exposure could be significant. Given the widespread use of WordPress in Europe and the popularity of appointment booking plugins among SMEs and service providers, the threat surface is considerable. Compliance risks are also elevated due to the exposure of personal and business data without consent. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately verify if they use the Simply Schedule Appointments Booking Plugin and identify the version in use. Upgrading to a patched version once available is the primary mitigation step. Until a patch is released, organizations should restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/ssa/v1/embed-inner-admin. Additionally, limiting REST API access to authenticated users or trusted IP addresses can reduce exposure. For premium users, rotating any exposed API keys for external integrations is critical to prevent unauthorized access. Monitoring logs for unusual access patterns to the REST API endpoint can help detect exploitation attempts. Organizations should also review and minimize the amount of sensitive data stored in plugin settings and consider disabling premium integrations if not essential. Regular security audits of WordPress plugins and their endpoints should be conducted to identify similar authorization issues proactively.