The Easy Appointments plugin for WordPress contains a sensitive information exposure vulnerability (CVE-2026-2262) in all versions up to 3.12.21. The issue arises because the REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/ is registered with a permission callback set to '__return_true', effectively disabling any authentication or authorization checks. This allows unauthenticated attackers to retrieve sensitive customer appointment data, including personally identifiable information and appointment details. The vulnerability has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely without privileges or user interaction and results in high confidentiality impact without affecting integrity or availability. No vendor advisory or patch information is currently available, and no known exploits have been reported.

An unauthenticated attacker can access sensitive customer data such as full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information via the vulnerable REST API endpoint. This exposure compromises customer privacy and confidentiality but does not affect data integrity or availability. The vulnerability can be exploited remotely without any authentication or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the vulnerable REST API endpoint if possible, or applying custom access controls to prevent unauthenticated access. Monitor official Easy Appointments channels for updates and patches addressing this issue.