PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11992 easyappointments CVE debrief

The Easy Appointments plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.12.27. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide by marking every future appointment as abandoned. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. Users of the Easy Appointments plugin for WordPress, particularly those with author-level access or higher, should be aware of this vulnerability and take immediate action to protect their sites.

Vendor
easyappointments
Product
Easy Appointments
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the Easy Appointments plugin for WordPress, particularly those with author-level access or higher, should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version, restricting access to the Appointments admin page, and monitoring for suspicious activity.

Technical summary

The Easy Appointments plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide by marking every future appointment as abandoned. The nonce required for cancellation requests is accessible to low-privileged users on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess.

Defensive priority

High priority for sites using the Easy Appointments plugin, especially those with multiple authors or users with elevated privileges.

Recommended defensive actions

  • Update the Easy Appointments plugin to the latest version
  • Restrict access to the Appointments admin page to trusted users
  • Monitor appointment cancellations for suspicious activity
  • Implement additional logging and monitoring for user actions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was reported by [email protected] and is publicly documented in the CVE record and NVD detail pages. The Easy Appointments plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.12.27. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide. The nonce required for cancellation requests is accessible to low-privileged users on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess. Evidence limits suggest that further verification is needed to confirm affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.280Z and has not been modified since then.