Skip to main content

Wappointment CVE-2026-9188

| EUVDEUVD-2026-41260 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-02 Wordfence GHSA-x67v-h94m-3pj6
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network REST endpoints with no secret in key derivation; all inputs are observable or enumerable; integrity-only impact with no code execution or data exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:22 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Appointment Bookings for Zoom GoogleMeet and more - Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment edit_key - the sole authorization token consumed by tryCancel() - being generated as a predictable, unsalted MD5 hash of only client_id (a sequential integer), start_at (a publicly observable appointment timestamp), and staff_id (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid edit_key values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the allow_cancellation or allow_rescheduling setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim's key by booking their own appointment to observe their sequential client_id and correlating publicly visible appointment times and enumerable staff identifiers.

AnalysisAI

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the edit_key - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer client_id, a publicly observable appointment timestamp start_at, and an enumerable integer staff_id. The unauthenticated REST endpoints for tryCancel() perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Book own appointment to observe sequential client_id
Delivery
Enumerate staff IDs from public booking UI
Exploit
Derive or observe target appointment timestamps
Execution
Compute unsalted MD5(client_id, start_at, staff_id) for victim appointment
Persist
Submit reconstructed edit_key to unauthenticated REST cancel or reschedule endpoint
Impact
Cancel or reschedule victim's appointment arbitrarily

Vulnerability AssessmentAI

Exploitation Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be explicitly enabled in the Wappointment plugin's admin configuration - the CVE description notes these are common configurations for actively-used booking deployments but are not guaranteed to be enabled on every installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.3 (Medium, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately captures the attack vector and authentication posture but understates operational impact on actively-used booking sites where mass appointment disruption carries real business consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker visits the target WordPress site, books a test appointment, and extracts their assigned `client_id` from the confirmation email. They enumerate the handful of staff IDs available on the booking page, then iterate over sequential `client_id` values (both above and below their own) combined with publicly visible appointment slot timestamps and each staff ID, computing MD5 hashes until a match is found against a target appointment. …
Remediation Update the Wappointment plugin to the first release above version 2.7.6 that incorporates changeset 3546313 from the WordPress plugin SVN repository; consult the plugin changelog at wordpress.org/plugins/wappointment/#developers to confirm the patched version number, as the exact release version was not independently confirmed in available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy