Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/ea_appointments/ REST API endpoint. This is due to the endpoint being registered with 'permission_callback' => '__return_true', which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
AnalysisAI
Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through /wp-json/wp/v2/eablocks/ea_appointments/. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data.
Technical ContextAI
WordPress REST API endpoints require proper permission callbacks to enforce access controls. This vulnerability stems from registering the /wp-json/wp/v2/eablocks/ea_appointments/ endpoint in ea-blocks.php with 'permission_callback' => '__return_true' - a function that unconditionally returns true, effectively bypassing all authentication and authorization checks. Per WordPress REST API architecture, permission callbacks are the primary security boundary for custom endpoints. The __return_true pattern is sometimes used during development but should never be deployed in production for sensitive data endpoints. The CWE-200 classification (Exposure of Sensitive Information to an Unauthorized Actor) accurately describes the root cause. Source code references point to lines 141 and 190 in ea-blocks/ea-blocks.php where the vulnerable endpoint registration occurs. The plugin manages appointment scheduling for WordPress sites, making customer PII (personally identifiable information) the primary data at risk.
RemediationAI
Upgrade Easy Appointments plugin to version 3.12.22 immediately via WordPress admin dashboard (Plugins → Updates) or by downloading from the official WordPress plugin repository. The fix is documented in changeset 3485692 which replaces the vulnerable 'permission_callback' => '__return_true' with proper authorization checks. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the Easy Appointments plugin entirely until upgrade is possible - this prevents appointment booking functionality but fully mitigates data exposure. (2) Use Web Application Firewall (WAF) or security plugin rules to block HTTP requests to /wp-json/wp/v2/eablocks/ea_appointments/ path for non-authenticated users - requires careful rule testing to avoid blocking legitimate appointment management. (3) Restrict WordPress REST API access to authenticated users only via plugin like Disable REST API - this may break other legitimate API integrations. After patching, audit server logs for unauthorized access to the vulnerable endpoint pattern to identify potential prior data exposure. Source code comparison at https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22 shows exact fix implementation.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23577