CVE-2026-4807: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar plugin for WordPress (Simply Schedule Appointments) up to version 1. 6. 10. 6 has a missing authorization vulnerability due to flawed logic in nonce permission checks. A site-wide reusable nonce is publicly exposed via a REST API endpoint accessible to unauthenticated users. Attackers can exploit this to view, delete, or modify any appointment without authentication, leading to sensitive data disclosure and service disruption.
AI Analysis
Technical Summary
CVE-2026-4807 describes a missing authorization vulnerability (CWE-862) in the Appointment Booking Calendar plugin for WordPress. The issue arises from the nonce_permissions_check() method, which improperly validates requests by falling back to a publicly exposed site-wide nonce (public_nonce) when the X-WP-Nonce header validation fails. This public_nonce is accessible to unauthenticated users through the /wp-json/ssa/v1/embed-inner endpoint. Consequently, attackers can use this nonce to bypass authorization checks on endpoints that delete or view appointments, enabling unauthorized viewing, modification, or deletion of appointments across the system.
Potential Impact
Exploitation allows unauthenticated attackers to access sensitive appointment details, including public_edit_url values, and to delete or modify any appointment by ID. This results in disclosure of sensitive data, potential loss of booking records, and disruption of appointment services. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict access to the affected REST API endpoints if possible, or disable the plugin if feasible to prevent exploitation. Monitor vendor channels for updates and apply official fixes promptly once released.
CVE-2026-4807: CWE-862 Missing Authorization in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Description
The Appointment Booking Calendar plugin for WordPress (Simply Schedule Appointments) up to version 1. 6. 10. 6 has a missing authorization vulnerability due to flawed logic in nonce permission checks. A site-wide reusable nonce is publicly exposed via a REST API endpoint accessible to unauthenticated users. Attackers can exploit this to view, delete, or modify any appointment without authentication, leading to sensitive data disclosure and service disruption.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4807 describes a missing authorization vulnerability (CWE-862) in the Appointment Booking Calendar plugin for WordPress. The issue arises from the nonce_permissions_check() method, which improperly validates requests by falling back to a publicly exposed site-wide nonce (public_nonce) when the X-WP-Nonce header validation fails. This public_nonce is accessible to unauthenticated users through the /wp-json/ssa/v1/embed-inner endpoint. Consequently, attackers can use this nonce to bypass authorization checks on endpoints that delete or view appointments, enabling unauthorized viewing, modification, or deletion of appointments across the system.
Potential Impact
Exploitation allows unauthenticated attackers to access sensitive appointment details, including public_edit_url values, and to delete or modify any appointment by ID. This results in disclosure of sensitive data, potential loss of booking records, and disruption of appointment services. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is currently documented. Until a patch is available, restrict access to the affected REST API endpoints if possible, or disable the plugin if feasible to prevent exploitation. Monitor vendor channels for updates and apply official fixes promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-25T12:28:32.101Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fc01afcbff5d86105e8a37
Added to database: 5/7/2026, 3:06:23 AM
Last enriched: 5/7/2026, 3:21:23 AM
Last updated: 5/7/2026, 4:10:40 AM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.