PatchSiren cyber security CVE debrief
CVE-2026-11992 easyappointments CVE debrief
The Easy Appointments plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.12.27. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide by marking every future appointment as abandoned. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. Users of the Easy Appointments plugin for WordPress, particularly those with author-level access or higher, should be aware of this vulnerability and take immediate action to protect their sites.
- Vendor
- easyappointments
- Product
- Easy Appointments
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the Easy Appointments plugin for WordPress, particularly those with author-level access or higher, should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version, restricting access to the Appointments admin page, and monitoring for suspicious activity.
Technical summary
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide by marking every future appointment as abandoned. The nonce required for cancellation requests is accessible to low-privileged users on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess.
Defensive priority
High priority for sites using the Easy Appointments plugin, especially those with multiple authors or users with elevated privileges.
Recommended defensive actions
- Update the Easy Appointments plugin to the latest version
- Restrict access to the Appointments admin page to trusted users
- Monitor appointment cancellations for suspicious activity
- Implement additional logging and monitoring for user actions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was reported by [email protected] and is publicly documented in the CVE record and NVD detail pages. The Easy Appointments plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 3.12.27. This allows authenticated attackers with author-level access and above to cancel all upcoming appointments site-wide. The nonce required for cancellation requests is accessible to low-privileged users on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess. Evidence limits suggest that further verification is needed to confirm affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.280Z and has not been modified since then.