Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable wp-admin endpoint requires only Contributor-level authentication (PR:L); no complexity or interaction; confidentiality limited to plugin booking data (C:L), no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.
AnalysisAI
Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum the Contributor role, which grants the edit_posts capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N accurately reflects the attack surface in isolation: remote exploitation is trivial once an attacker holds a Contributor account (PR:L), with no interaction or complexity required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a Contributor-level account on a targeted WordPress site authenticates to wp-admin and issues a series of HTTP GET requests to wp-admin with the query parameters cpabc_calendar_load2=1&id=N, incrementing N to enumerate all calendar IDs. For each valid calendar ID, the server returns a dataset containing customer names, email addresses, phone numbers, booking times, and comments belonging to that calendar's bookings. … |
| Remediation | The primary fix is to update the Appointment Booking Calendar plugin beyond version 1.4.01. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Appointment Booking Calendar
View allThe Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could al
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea para
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. Rated high severity (
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. Rated medium severity (CVSS 4.
SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar pl
Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows
Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appoint
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionali
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37864
GHSA-w9f2-px6f-gvmg