CVE-2025-13754 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Simply Schedule Appointments Booking Plugin for WordPress, developed by croixhaug. The issue arises because the plugin exposes an admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without any authentication or authorization checks. This endpoint leaks sensitive configuration data including staff names, business names, and other plugin settings that are not intended for public access. In premium versions where integrations with external services are configured, the vulnerability can also expose API keys, which could be leveraged to access or manipulate third-party services. The vulnerability affects all plugin versions up to and including 1.6.9.16. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the fact that the vulnerability can be exploited remotely without authentication or user interaction, but only results in confidentiality loss without impacting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability’s root cause is the lack of proper authorization checks on a sensitive REST API endpoint, allowing unauthenticated attackers to retrieve private business configuration data that could facilitate further attacks or information gathering.

For European organizations, especially small and medium enterprises (SMEs) that commonly use WordPress and plugins like Simply Schedule Appointments, this vulnerability poses a risk of sensitive business information disclosure. Exposure of staff and business names can aid social engineering or spear-phishing attacks. More critically, in premium plugin versions, leaked API keys could allow attackers to access or manipulate integrated external services, potentially leading to data breaches or service disruptions. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can undermine trust, violate data protection regulations such as GDPR, and result in reputational damage. Organizations relying on this plugin for customer appointment management may face operational risks if attackers leverage exposed API keys to disrupt services or exfiltrate data from connected platforms.

Immediate mitigation steps include restricting access to the vulnerable REST API endpoint by implementing authentication and authorization controls at the web server or application level, such as IP whitelisting or requiring logged-in admin credentials. Organizations should audit their WordPress installations to identify usage of the Simply Schedule Appointments plugin and verify the plugin version. Until an official patch is released, disabling or removing the plugin can be considered if the risk is unacceptable. For premium users, it is critical to rotate any exposed API keys for external services to prevent unauthorized access. Monitoring web server logs for suspicious access to /wp-json/ssa/v1/embed-inner-admin can help detect exploitation attempts. Finally, organizations should keep abreast of vendor updates and apply patches promptly once available.