Skip to main content

WordPress CVE-2026-2262

| EUVDEUVD-2026-23577 HIGH
Information Exposure (CWE-200)
2026-04-18 security@wordfence.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
PoC Detected
Apr 22, 2026 - 20:22 vuln.today
Public exploit code
Analysis Generated
Apr 18, 2026 - 00:38 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 00:22 euvd
EUVD-2026-23577
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/ea_appointments/ REST API endpoint. This is due to the endpoint being registered with 'permission_callback' => '__return_true', which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

AnalysisAI

Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through /wp-json/wp/v2/eablocks/ea_appointments/. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data.

Technical ContextAI

WordPress REST API endpoints require proper permission callbacks to enforce access controls. This vulnerability stems from registering the /wp-json/wp/v2/eablocks/ea_appointments/ endpoint in ea-blocks.php with 'permission_callback' => '__return_true' - a function that unconditionally returns true, effectively bypassing all authentication and authorization checks. Per WordPress REST API architecture, permission callbacks are the primary security boundary for custom endpoints. The __return_true pattern is sometimes used during development but should never be deployed in production for sensitive data endpoints. The CWE-200 classification (Exposure of Sensitive Information to an Unauthorized Actor) accurately describes the root cause. Source code references point to lines 141 and 190 in ea-blocks/ea-blocks.php where the vulnerable endpoint registration occurs. The plugin manages appointment scheduling for WordPress sites, making customer PII (personally identifiable information) the primary data at risk.

RemediationAI

Upgrade Easy Appointments plugin to version 3.12.22 immediately via WordPress admin dashboard (Plugins → Updates) or by downloading from the official WordPress plugin repository. The fix is documented in changeset 3485692 which replaces the vulnerable 'permission_callback' => '__return_true' with proper authorization checks. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the Easy Appointments plugin entirely until upgrade is possible - this prevents appointment booking functionality but fully mitigates data exposure. (2) Use Web Application Firewall (WAF) or security plugin rules to block HTTP requests to /wp-json/wp/v2/eablocks/ea_appointments/ path for non-authenticated users - requires careful rule testing to avoid blocking legitimate appointment management. (3) Restrict WordPress REST API access to authenticated users only via plugin like Disable REST API - this may break other legitimate API integrations. After patching, audit server logs for unauthorized access to the vulnerable endpoint pattern to identify potential prior data exposure. Source code comparison at https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22 shows exact fix implementation.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-2262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy