The vulnerability CVE-2026-23622 in Easy!Appointments (<= 1.5.2) stems from improper CSRF protection implementation. The core issue is that the csrf_verify() function in application/core/EA_Security.php enforces CSRF token validation only on POST requests, returning early for other HTTP methods. However, several endpoints perform sensitive, state-changing operations (such as creating admin accounts or modifying admin credentials) via GET or $_REQUEST parameters. This design flaw allows an attacker to craft malicious GET requests that, when executed by an authenticated victim's browser, perform unauthorized administrative actions without the victim's consent or knowledge. The vulnerability does not require prior authentication or elevated privileges, and user interaction is limited to visiting a maliciously crafted link or webpage. The impact includes full administrative account takeover, which compromises the confidentiality, integrity, and availability of the appointment scheduling system. Although no known exploits are reported in the wild yet, the vulnerability's characteristics make it a high-risk threat. The CVSS 4.0 vector reflects network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability.

For European organizations, this vulnerability poses a significant risk especially for entities relying on Easy!Appointments for managing sensitive appointment data, such as healthcare providers, government agencies, and service-oriented businesses. An attacker exploiting this flaw can gain full administrative control, leading to unauthorized data access, manipulation of appointments, disruption of services, and potential exposure of personal data protected under GDPR. The ability to create or modify admin accounts can facilitate persistent unauthorized access and lateral movement within the network. This can result in operational downtime, reputational damage, regulatory penalties, and financial losses. Public-facing installations are particularly vulnerable as they are accessible to remote attackers. The vulnerability’s exploitation could also be leveraged as a foothold for further attacks against European organizations, amplifying its impact.

Organizations should immediately review their Easy!Appointments installations and upgrade to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should implement the following mitigations: (1) Restrict all state-changing operations to POST requests exclusively, eliminating GET-based state changes; (2) Enforce CSRF token validation on all endpoints that perform state changes, regardless of HTTP method; (3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious GET requests attempting state changes; (4) Conduct thorough audits of user roles and permissions to limit administrative privileges; (5) Monitor logs for unusual administrative activity or unexpected GET requests; (6) Educate users to avoid clicking on suspicious links and implement browser security policies such as SameSite cookies to reduce CSRF risks; (7) Isolate the appointment scheduler in a segmented network zone to limit potential lateral movement in case of compromise.