What is the CVSS score of CVE-2026-39513?

CVE-2026-39513 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.3%.

Which versions of Easy Appointments are affected by CVE-2026-39513?

Easy Appointments WordPress plugin (versions 3.12.21 and earlier) contains an unauthenticated information disclosure vulnerability allowing remote attackers to access protected appointment data…

How to fix or mitigate CVE-2026-39513?

Within 24 hours: Immediately disable the Easy Appointments plugin and assess which appointment data may have been accessed by reviewing server logs for suspicious API requests to plugin endpoints. Within 7 days: Identify and implement an alternative appointment scheduling solution with current security maintenance, then migrate historical appointment data. Within 30 days: Deploy Web Application Firewall (WAF) rules blocking unauthenticated access to plugin database endpoints, implement database-level access logging, and establish a security monitoring alert for any reactivation of this plugin.

Easy Appointments CVE-2026-39513

EUVD-2026-36952 HIGH

Missing Authorization (CWE-862)

2026-06-15 Patchstack

GHSA-664v-gm8m-vh2f

Authentication Bypass Easy Appointments

7.5

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

vuln.today AI

7.5 HIGH

Remote unauthenticated HTTP request to a WordPress plugin endpoint with missing authorization; broken access control discloses sensitive data (C:H) without modifying or disrupting state.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 22:22 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.

AnalysisAI

Unauthenticated information disclosure in the Easy Appointments WordPress plugin (versions ≤ 3.12.21) allows remote attackers to access protected appointment data without authentication due to missing authorization checks. Patchstack reports the issue as a broken access control flaw with high confidentiality impact (CVSS 7.5); no public exploit identified at time of analysis, and the plugin is not currently listed in CISA KEV.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Fingerprint WordPress site running Easy Appointments

Delivery

Identify vulnerable plugin endpoint

Exploit

Send unauthenticated HTTP request bypassing access control

Execution

Receive restricted appointment/customer data

Impact

Exfiltrate PII for follow-on abuse

Access

Fingerprint WordPress site running Easy Appointments

Delivery

Identify vulnerable plugin endpoint

Exploit

Send unauthenticated HTTP request bypassing access control

Execution

Receive restricted appointment/customer data

Impact

Exfiltrate PII for follow-on abuse

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the Easy Appointments WordPress plugin at versions ≤ 3.12.21, reachable over the public HTTP(S) interface that serves the host WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N describes a remotely reachable, low-complexity, unauthenticated read primitive with high confidentiality impact and no integrity or availability effect - consistent with mass-scannable WordPress plugin disclosure bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker enumerates WordPress sites running Easy Appointments and issues crafted HTTP requests directly to a vulnerable plugin endpoint that lacks an authorization check, retrieving appointment records, customer PII, or other restricted booking data in the response. No public exploit identified at time of analysis, but the low attack complexity and PR:N requirement make automated mass-scan exploitation realistic once endpoint details circulate.
Remediation	Patch available per vendor advisory - upgrade Easy Appointments to a release later than 3.12.21 as soon as the maintainer publishes one (consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/easy-appointments/vulnerability/wordpress-easy-appointments-plugin-3-12-21-broken-access-control-vulnerability for the fixed version once listed) and confirm the new version via the WordPress plugin updater. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately disable the Easy Appointments plugin and assess which appointment data may have been accessed by reviewing server logs for suspicious API requests to plugin endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39513 vulnerability details – vuln.today

Back

Easy Appointments CVE-2026-39513

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code