Skip to main content

Easy Appointments CVE-2026-11992

| EUVDEUVD-2026-42850 MEDIUM
Missing Authorization (CWE-862)
2026-07-10 Wordfence GHSA-xfx8-39w8-9g2h
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
6.5 MEDIUM

Author-level auth required (PR:L); attacker can modify ALL appointment records (I:H, not I:L); no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:30 vuln.today
CVE Published
Jul 10, 2026 - 07:48 nvd
MEDIUM 4.3

DescriptionCVE.org

The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appointments admin page, which is itself gated only by the edit_posts capability that Authors possess, making the nonce readily accessible to low-privileged users.

AnalysisAI

Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess by default. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register Author-level WordPress account
Delivery
Log into wp-admin and navigate to Appointments admin page
Exploit
Extract mass-cancellation nonce from rendered page HTML
Execution
Craft AJAX POST request to cancellation endpoint
Impact
All future appointments marked abandoned site-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum the Author role, which grants the `edit_posts` capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (Medium, AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) likely underrepresents practical business impact: the I:L rating does not reflect that the attack modifies the entirety of the plugin's appointment dataset, not merely some records. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a WordPress Author account - obtained via open user registration, credential stuffing, or a compromised contributor - logs into wp-admin, navigates to the Appointments admin page (accessible by default to Authors), extracts the cancellation nonce embedded in the page HTML, and issues a single crafted AJAX POST request to the plugin's cancel endpoint. The result is that every future appointment in the system is immediately marked as abandoned, disrupting all scheduled bookings site-wide without any additional privilege escalation or user interaction.
Remediation No vendor-released patched version has been confirmed in the available data - administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/eea33d0b-2547-4c51-8c4c-d178d6c8502d and the WordPress plugin repository for a patched release and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy