Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Author-level auth required (PR:L); attacker can modify ALL appointment records (I:H, not I:L); no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appointments admin page, which is itself gated only by the edit_posts capability that Authors possess, making the nonce readily accessible to low-privileged users.
AnalysisAI
Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the edit_posts capability that Authors possess by default. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum the Author role, which grants the `edit_posts` capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (Medium, AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) likely underrepresents practical business impact: the I:L rating does not reflect that the attack modifies the entirety of the plugin's appointment dataset, not merely some records. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a WordPress Author account - obtained via open user registration, credential stuffing, or a compromised contributor - logs into wp-admin, navigates to the Appointments admin page (accessible by default to Authors), extracts the cancellation nonce embedded in the page HTML, and issues a single crafted AJAX POST request to the plugin's cancel endpoint. The result is that every future appointment in the system is immediately marked as abandoned, disrupting all scheduled bookings site-wide without any additional privilege escalation or user interaction. |
| Remediation | No vendor-released patched version has been confirmed in the available data - administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/eea33d0b-2547-4c51-8c4c-d178d6c8502d and the WordPress plugin repository for a patched release and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Easy Appointments
View allalextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by paramet
Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash). Rated
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively
Unauthenticated information disclosure in the Easy Appointments WordPress plugin (versions ≤ 3.12.21) allows remote atta
The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calend
The Easy!Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyappointmen
The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel. Rated medium
The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user v
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42850
GHSA-xfx8-39w8-9g2h