PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6937 croixhaug CVE debrief

A Missing Authorization vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress allows unauthenticated attackers to modify arbitrary appointment records and expose customer PII via the bulk appointments REST API endpoint. The vulnerability exists because the plugin fails to properly verify user authorization, and relies on a static, user-independent nonce value that is exposed in the HTML source of any page containing the [ssa_booking] shortcode. This allows any visitor who has viewed such a page to obtain the nonce and target any appointment in the system without authentication. Affected versions include all releases up to and including 1.6.11.8. The vulnerability was disclosed on 2026-05-28 and carries a CVSS 3.1 score of 5.3 (MEDIUM severity).

Vendor
croixhaug
Product
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using Simply Schedule Appointments Booking Plugin; security teams responsible for WordPress plugin vulnerability management; compliance officers concerned with customer PII protection and unauthorized data modification; developers maintaining WordPress sites with appointment booking functionality

Technical summary

The Simply Schedule Appointments Booking Plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in its bulk appointments REST API endpoint. The plugin fails to implement proper capability checks, allowing unauthenticated HTTP requests to modify arbitrary appointment records. The authentication mechanism relies on a WordPress nonce that is statically generated and identical for all users; this nonce is embedded in the HTML source of any page rendering the [ssa_booking] shortcode, making it trivially obtainable by any website visitor. Successful exploitation permits modification of sensitive appointment fields including customer personally identifiable information (PII), payment status indicators, and meeting URLs, as well as extraction of full customer PII from the endpoint response. The vulnerability affects all plugin versions through 1.6.11.8 inclusive.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Simply Schedule Appointments Booking Plugin to a version beyond 1.6.11.8 as soon as a patched release is available
  • Review appointment records for unauthorized modifications, particularly changes to payment status, meeting URLs, and customer PII fields
  • Implement Web Application Firewall (WAF) rules to restrict access to the bulk appointments REST API endpoint to authenticated administrative users only
  • Remove or restrict pages containing the [ssa_booking] shortcode from public access until patching is complete, as these pages expose the static nonce required for exploitation
  • Audit access logs for requests to the bulk appointments REST API endpoint from unauthenticated sources
  • Consider implementing additional authorization checks at the web server or reverse proxy level for sensitive REST API endpoints
  • Review and rotate any meeting URLs or credentials that may have been exposed through compromised appointment records

Evidence notes

The vulnerability is documented through WordPress Plugin Trac browser links showing affected code in versions 1.6.10.0, 1.6.11.0, and trunk, with specific references to class-appointment-model.php, class-bootstrap.php, and class-td-api-model.php. A changeset reference indicates remediation activity. The Wordfence threat intelligence entry provides additional context on the vulnerability scope and impact.

Official resources

2026-05-28