The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) in versions up to 1.6.9.29. The issue is due to the get_item_permissions_check method granting access based solely on the ssa_manage_appointments capability without validating staff ownership of the appointment resource. Authenticated users with this capability can access appointment data belonging to other staff members by manipulating the appointment ID parameter, leading to unauthorized disclosure of sensitive customer information. The vulnerability is rated medium severity with a CVSS 3.1 score of 4.3, reflecting low complexity and limited impact on confidentiality without integrity or availability effects. There is no vendor advisory or patch information available at this time.

Authenticated users with the ssa_manage_appointments capability can bypass authorization controls to view appointment records of other staff members. This unauthorized access exposes sensitive customer personally identifiable information. The vulnerability does not affect data integrity or availability. There are no known exploits in the wild. The impact is limited to confidentiality exposure within the scope of users who already have some level of management access.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict the ssa_manage_appointments capability to trusted users only and monitor access to appointment data. Avoid granting this capability broadly to reduce risk of unauthorized data exposure.