CVE-2026-9188: CWE-639 Authorization Bypass Through User-Controlled Key in wappointment Appointment Bookings for Zoom GoogleMeet and more – Wappointment
The Wappointment WordPress plugin for appointment bookings is vulnerable to an authorization bypass via a predictable edit key. This key is generated as an unsalted MD5 hash of predictable parameters, allowing unauthenticated attackers to cancel or reschedule other users' appointments if cancellation or rescheduling is enabled. The vulnerability affects all versions up to and including 2.7.6. The CVSS score is 5.3 (medium severity). No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
CVE-2026-9188 describes an insecure direct object reference vulnerability in the Wappointment plugin for WordPress. The plugin uses an edit key for appointment authorization, generated as a predictable, unsalted MD5 hash of client_id (sequential integer), start_at (public timestamp), and staff_id (small enumerable integer). Because the key is predictable and no additional ownership or identity verification is performed, unauthenticated attackers can compute valid keys for other users' appointments and cancel or reschedule them via REST endpoints. Exploitation requires that the site has cancellation or rescheduling enabled, which are common configurations. The vulnerability affects all versions up to and including 2.7.6. No patch or official fix is currently documented.
Potential Impact
An attacker can bypass authorization controls to cancel or reschedule appointments belonging to other users without authentication. This results in unauthorized modification of appointment data (integrity impact) but does not disclose confidential information or cause denial of service. The impact is limited to integrity loss of appointment bookings.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider disabling the allow_cancellation and allow_rescheduling settings to prevent exploitation. Monitor for updates from the vendor regarding patches or official mitigations.
CVE-2026-9188: CWE-639 Authorization Bypass Through User-Controlled Key in wappointment Appointment Bookings for Zoom GoogleMeet and more – Wappointment
Description
The Wappointment WordPress plugin for appointment bookings is vulnerable to an authorization bypass via a predictable edit key. This key is generated as an unsalted MD5 hash of predictable parameters, allowing unauthenticated attackers to cancel or reschedule other users' appointments if cancellation or rescheduling is enabled. The vulnerability affects all versions up to and including 2.7.6. The CVSS score is 5.3 (medium severity). No official patch or remediation guidance is currently available.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9188 describes an insecure direct object reference vulnerability in the Wappointment plugin for WordPress. The plugin uses an edit key for appointment authorization, generated as a predictable, unsalted MD5 hash of client_id (sequential integer), start_at (public timestamp), and staff_id (small enumerable integer). Because the key is predictable and no additional ownership or identity verification is performed, unauthenticated attackers can compute valid keys for other users' appointments and cancel or reschedule them via REST endpoints. Exploitation requires that the site has cancellation or rescheduling enabled, which are common configurations. The vulnerability affects all versions up to and including 2.7.6. No patch or official fix is currently documented.
Potential Impact
An attacker can bypass authorization controls to cancel or reschedule appointments belonging to other users without authentication. This results in unauthorized modification of appointment data (integrity impact) but does not disclose confidential information or cause denial of service. The impact is limited to integrity loss of appointment bookings.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider disabling the allow_cancellation and allow_rescheduling settings to prevent exploitation. Monitor for updates from the vendor regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-21T15:04:38.302Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4634ad27e9c79719a6e420
Added to database: 07/02/2026, 09:51:41 UTC
Last enriched: 07/02/2026, 10:06:49 UTC
Last updated: 07/02/2026, 10:12:56 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.