CVE-2026-3045

Vulnerability Description

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.

CVSS Score

Related Weaknesses (CWE)

References

• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6c