Skip to main content

Appointment Booking Calendar CVE-2026-12113

| EUVDEUVD-2026-40903 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-jg95-92mw-5qqj
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Endpoint reachable over network (AV:N), contributor login required (PR:L), only booking PII disclosed with no write or availability impact (C:L/I:N/A:N), no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:32 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 4.3

DescriptionCVE.org

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.

AnalysisAI

Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected cpabc_appointments_filter_list AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress credentials
Delivery
Authenticate to target WordPress site
Exploit
Send POST to wp-admin/admin-ajax.php with action=cpabc_appointments_filter_list
Execution
Missing authorization check bypassed
Impact
Receive full customer PII dataset in response

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at least contributor-level role (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the threat model: the attack is network-reachable, requires no special conditions, and needs only a contributor-level WordPress account, but the impact is limited to confidentiality of booking PII with no integrity or availability consequence and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a contributor-level WordPress account on a target site running the Appointment Booking Calendar plugin. They send an authenticated POST request to `wp-admin/admin-ajax.php` with `action=cpabc_appointments_filter_list` and any required nonce, and the server responds with the full appointment booking dataset containing customer names, email addresses, phone numbers, and appointment comments. …
Remediation Update the Appointment Booking Calendar plugin to the version that incorporates SVN changeset 3581633, which reflects the upstream source-level fix committed to the plugin's trunk; however, the specific patched release version number is not independently confirmed in the available data - verify the current version in the WordPress plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy