CVE-2026-3045 is a vulnerability categorized under CWE-862 (Missing Authorization) affecting the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, specifically all versions up to and including 1.6.9.29. The root cause involves two compounding weaknesses: first, a non-user-bound 'public_nonce' is exposed to unauthenticated users through the public REST endpoint '/wp-json/ssa/v1/embed-inner'. This nonce is intended for authorization but is not tied to any specific user session, making it accessible to anyone. Second, the 'get_item()' method in the SSA_Settings_Api class relies solely on 'nonce_permissions_check()' for authorization, which accepts the public nonce, but fails to invoke 'remove_unauthorized_settings_for_current_user()' to filter out sensitive or restricted fields. As a result, unauthenticated attackers can query the '/wp-json/ssa/v1/settings/{section}' endpoint to retrieve admin-only plugin settings such as administrator email addresses, phone numbers, internal access tokens, notification configurations, and developer settings. Additionally, the exposure of appointment tokens enables attackers to modify or cancel appointments without authentication. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to its network exploitable nature, lack of required privileges or user interaction, and significant confidentiality impact. Although no public exploits have been reported yet, the vulnerability poses a serious risk to the confidentiality of sensitive data and the integrity of appointment management within affected WordPress sites.

The primary impact of CVE-2026-3045 is unauthorized disclosure of sensitive administrative data, including contact information and internal access tokens, which can lead to further targeted attacks such as phishing, social engineering, or lateral movement within an organization's infrastructure. Exposure of notification configurations and developer settings could reveal internal operational details that attackers might exploit. Furthermore, the ability to modify or cancel appointments without authentication undermines the integrity of the booking system, potentially disrupting business operations, customer trust, and service availability indirectly. Organizations relying on this plugin for appointment scheduling risk reputational damage and operational disruption if exploited. Since the vulnerability is exploitable remotely without authentication or user interaction, it significantly increases the attack surface for WordPress sites using this plugin. The lack of known exploits in the wild currently limits immediate widespread impact, but the ease of exploitation and sensitive data exposure make it a critical issue to address promptly.

1. Immediate update: Organizations should update the Appointment Booking Calendar — Simply Schedule Appointments plugin to a patched version once released by the vendor. Since no patch links are currently available, monitor vendor communications closely. 2. Access control hardening: Restrict access to the WordPress REST API endpoints related to the plugin by implementing web application firewall (WAF) rules or custom endpoint restrictions to block unauthenticated requests to '/wp-json/ssa/v1/embed-inner' and '/wp-json/ssa/v1/settings/{section}'. 3. Disable or limit plugin usage: If an immediate patch is unavailable, consider disabling the plugin temporarily or limiting its usage to trusted internal networks only. 4. Monitor logs: Enable detailed logging of REST API access and monitor for unusual or unauthorized requests targeting the affected endpoints. 5. Implement least privilege: Review and minimize administrator contact information and internal tokens stored within the plugin settings to reduce sensitive data exposure. 6. Incident response readiness: Prepare to respond to potential appointment manipulation incidents by validating appointment changes and implementing secondary verification mechanisms. 7. Security testing: Conduct penetration testing focused on REST API endpoints to identify similar authorization weaknesses in other plugins or custom code.