CVE-2026-3045 in Appointment Booking Calendar Plugin
Summary
by MITRE • 03/13/2026
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified in CVE-2026-3045 affects the Appointment Booking Calendar plugin for WordPress, specifically targeting versions up to and including 1.6.9.29. This represents a critical authorization flaw that enables unauthenticated attackers to gain access to sensitive administrative data through exposed REST API endpoints. The issue stems from fundamental design flaws in the plugin's permission handling mechanisms, creating a pathway for attackers to bypass standard authentication requirements and access confidential information that should remain restricted to authorized administrators.
The technical exploitation occurs through two interconnected weaknesses that compound the vulnerability. First, a public nonce mechanism is exposed through the `/wp-json/ssa/v1/embed-inner` REST endpoint, which allows any unauthenticated user to obtain a nonce value that should remain protected. This public nonce is then leveraged in subsequent API calls to bypass standard authorization checks. Second, the `get_item()` method within the `SSA_Settings_Api` class relies on `nonce_permissions_check()` for authorization validation, but fails to implement proper filtering through `remove_unauthorized_settings_for_current_user()`. This omission means that when an attacker uses the valid public nonce to access settings endpoints, they receive complete access to all plugin configuration data regardless of their authentication status.
The operational impact of this vulnerability extends beyond simple information disclosure to include potential appointment manipulation capabilities. Attackers can access administrator contact details including email addresses and phone numbers, which could facilitate further social engineering attacks. Additionally, internal access tokens and notification configurations are exposed, potentially allowing attackers to intercept appointment notifications or gain deeper system access. The most concerning aspect is the exposure of appointment tokens which provides attackers with the ability to modify or cancel appointments, potentially disrupting business operations and compromising appointment scheduling integrity. This vulnerability directly aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks in web applications.
The exploitation of this vulnerability demonstrates a failure in proper input validation and access control implementation within the WordPress REST API framework. Attackers can systematically access the `/wp-json/ssa/v1/settings/{section}` endpoint using the exposed public nonce to retrieve sensitive administrative configurations. This pattern of vulnerability aligns with ATT&CK technique T1213.002 (Exploitation for Credential Access) and T1078 (Valid Accounts) as it allows attackers to leverage exposed credentials and access tokens to gain unauthorized access to system resources. The plugin's failure to properly implement role-based access control and to filter settings based on user permissions creates a persistent security risk that affects all users of the vulnerable versions.
Mitigation strategies should focus on immediate patching of the plugin to versions that address the nonce handling and authorization filtering issues. Administrators should also implement network-level restrictions to limit access to the exposed REST endpoints where possible. The WordPress security team recommends updating to the latest plugin version as soon as available, and implementing additional monitoring for unusual access patterns to the affected endpoints. Organizations should also conduct thorough audits of their plugin ecosystem to identify similar authorization flaws in other third-party components. Security monitoring should include detection of unauthorized access attempts to the specific REST endpoints mentioned in the vulnerability, as well as monitoring for unusual data access patterns that might indicate exploitation attempts.