CVE-2026-3045: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
AI Analysis
Technical Summary
CVE-2026-3045 is a high-severity authorization vulnerability (CWE-862) in the Simply Schedule Appointments WordPress plugin. The vulnerability arises because a non-user-bound public nonce is exposed to unauthenticated users through the /wp-json/ssa/v1/embed-inner REST endpoint. The get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization, which accepts this public nonce, but does not invoke remove_unauthorized_settings_for_current_user() to filter out admin-only settings. Consequently, unauthenticated attackers can retrieve sensitive administrative settings and appointment tokens via the /wp-json/ssa/v1/settings/{section} endpoint, potentially allowing modification or cancellation of appointments.
Potential Impact
This vulnerability allows unauthenticated attackers to access sensitive administrative data including administrator contact details, internal access tokens, and configuration settings. Additionally, attackers can leverage exposed appointment tokens to modify or cancel appointments without authorization. The confidentiality of sensitive data is compromised, but there is no indication of impact on integrity beyond appointment modification or cancellation, and no availability impact is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, restrict access to the affected REST API endpoints if possible, and monitor plugin updates from the vendor. Avoid exposing the plugin to unauthenticated users or consider disabling the plugin if sensitive data exposure risk is unacceptable.
CVE-2026-3045: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Description
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3045 is a high-severity authorization vulnerability (CWE-862) in the Simply Schedule Appointments WordPress plugin. The vulnerability arises because a non-user-bound public nonce is exposed to unauthenticated users through the /wp-json/ssa/v1/embed-inner REST endpoint. The get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization, which accepts this public nonce, but does not invoke remove_unauthorized_settings_for_current_user() to filter out admin-only settings. Consequently, unauthenticated attackers can retrieve sensitive administrative settings and appointment tokens via the /wp-json/ssa/v1/settings/{section} endpoint, potentially allowing modification or cancellation of appointments.
Potential Impact
This vulnerability allows unauthenticated attackers to access sensitive administrative data including administrator contact details, internal access tokens, and configuration settings. Additionally, attackers can leverage exposed appointment tokens to modify or cancel appointments without authorization. The confidentiality of sensitive data is compromised, but there is no indication of impact on integrity beyond appointment modification or cancellation, and no availability impact is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided at this time. Until a patch is available, restrict access to the affected REST API endpoints if possible, and monitor plugin updates from the vendor. Avoid exposing the plugin to unauthenticated users or consider disabling the plugin if sensitive data exposure risk is unacceptable.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-23T17:29:24.802Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b3c0802f860ef943a8ad9d
Added to database: 3/13/2026, 7:45:04 AM
Last enriched: 4/9/2026, 6:45:37 PM
Last updated: 4/28/2026, 7:21:23 AM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.