Skip to main content

Appointment Booking Calendar CVE-2026-12111

| EUVDEUVD-2026-37864 MEDIUM
Information Exposure (CWE-200)
2026-06-18 Wordfence GHSA-w9f2-px6f-gvmg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable wp-admin endpoint requires only Contributor-level authentication (PR:L); no complexity or interaction; confidentiality limited to plugin booking data (C:L), no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:08 vuln.today
CVE Published
Jun 18, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.

AnalysisAI

Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register Contributor-level WordPress account
Delivery
Authenticate to wp-admin
Exploit
Send GET request with cpabc_calendar_load2=1&id=[target_id]
Execution
Bypass ownership check via insufficient authorization
Persist
Enumerate all calendar IDs
Impact
Extract customer PII records

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum the Contributor role, which grants the edit_posts capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N accurately reflects the attack surface in isolation: remote exploitation is trivial once an attacker holds a Contributor account (PR:L), with no interaction or complexity required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a Contributor-level account on a targeted WordPress site authenticates to wp-admin and issues a series of HTTP GET requests to wp-admin with the query parameters cpabc_calendar_load2=1&id=N, incrementing N to enumerate all calendar IDs. For each valid calendar ID, the server returns a dataset containing customer names, email addresses, phone numbers, booking times, and comments belonging to that calendar's bookings. …
Remediation The primary fix is to update the Appointment Booking Calendar plugin beyond version 1.4.01. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy