CVE-2025-13754: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services.
AI Analysis
Technical Summary
CVE-2025-13754 is a missing authorization vulnerability (CWE-862) in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes its admin embed endpoint `/wp-json/ssa/v1/embed-inner-admin` without requiring authentication, allowing unauthenticated users to retrieve sensitive configuration details including staff and business names. In premium versions, this may also include API keys for integrated external services. The vulnerability affects all versions up to and including 1.6.9.16. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with no privileges required and no user interaction needed, resulting in limited confidentiality impact.
Potential Impact
An unauthenticated attacker can access sensitive business configuration data through the exposed admin embed endpoint. This includes staff names, business names, and plugin settings that are not publicly visible on the booking form. For premium users with integrations configured, API keys for external services may also be exposed, potentially leading to further compromise of those services. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected endpoint by implementing authentication or access controls at the web server or application level to prevent unauthenticated access. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2025-13754: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13754 is a missing authorization vulnerability (CWE-862) in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes its admin embed endpoint `/wp-json/ssa/v1/embed-inner-admin` without requiring authentication, allowing unauthenticated users to retrieve sensitive configuration details including staff and business names. In premium versions, this may also include API keys for integrated external services. The vulnerability affects all versions up to and including 1.6.9.16. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with no privileges required and no user interaction needed, resulting in limited confidentiality impact.
Potential Impact
An unauthenticated attacker can access sensitive business configuration data through the exposed admin embed endpoint. This includes staff names, business names, and plugin settings that are not publicly visible on the booking form. For premium users with integrations configured, API keys for external services may also be exposed, potentially leading to further compromise of those services. There is no impact on integrity or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected endpoint by implementing authentication or access controls at the web server or application level to prevent unauthenticated access. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-26T19:11:33.301Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6944f80919341fe18889df10
Added to database: 12/19/2025, 7:00:25 AM
Last enriched: 4/9/2026, 9:09:21 PM
Last updated: 5/8/2026, 10:18:56 AM
Views: 195
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.