CVE-2026-3045 in Appointment Booking Calendar Pluginالمعلومات

الملخص

بحسب MITRE • 13/03/2026

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

23/02/2026

إفشاء

13/03/2026

الاعتدال

تمت الموافقة

إدخال

VDB-350822

EPSS

0.00049

KEV

لا

النشاطات

منخفض جدًا

القطاع

Lawfirm, Finance, ...

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-3045
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-3045
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-3045/

التالي نظرة عامة السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!