CVE-2026-12111 codepeople CVE debrief

Who should care

WordPress administrators and users with Contributor-level access or above who utilize the Appointment Booking Calendar plugin should be aware of this vulnerability. Additionally, security teams responsible for monitoring and patching WordPress installations, especially those with customer-facing appointment booking functionality, should prioritize patching and monitoring for potential exploitation.

Technical summary

The vulnerability exists in the cpabc_appointments_calendar_load2() function of the Appointment Booking Calendar plugin. This function is accessible via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks if the user is an administrator or has the 'edit_posts' capability, which is available to Contributor-level users and above. The function fails to perform adequate authorization and per-calendar ownership checks, allowing attackers to supply an arbitrary calendar ID and extract sensitive customer booking information.

Defensive priority

MEDIUM

Recommended defensive actions

• Update the Appointment Booking Calendar plugin to a version beyond 1.4.01.
• Restrict access to the wp-admin area, especially for users with Contributor-level access.
• Implement additional monitoring for potential exploitation attempts.
• Review and adjust the plugin's configuration to enforce proper authorization and ownership checks.
• Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
• Regularly review and update all WordPress plugins and themes to ensure the latest security patches are applied.

Evidence notes

The information provided is based on the CVE-2026-12111 record and related sources from NVD and Wordfence. The vulnerability was published on June 18, 2026, and last modified on the same day. The details about the vulnerability, including its CVSS score and affected versions, are derived from these reliable sources.

Official resources