Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Unauthenticated network REST endpoints with no secret in key derivation; all inputs are observable or enumerable; integrity-only impact with no code execution or data exposure.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Appointment Bookings for Zoom GoogleMeet and more - Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment edit_key - the sole authorization token consumed by tryCancel() - being generated as a predictable, unsalted MD5 hash of only client_id (a sequential integer), start_at (a publicly observable appointment timestamp), and staff_id (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid edit_key values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the allow_cancellation or allow_rescheduling setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim's key by booking their own appointment to observe their sequential client_id and correlating publicly visible appointment times and enumerable staff identifiers.
AnalysisAI
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the edit_key - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer client_id, a publicly observable appointment timestamp start_at, and an enumerable integer staff_id. The unauthenticated REST endpoints for tryCancel() perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be explicitly enabled in the Wappointment plugin's admin configuration - the CVE description notes these are common configurations for actively-used booking deployments but are not guaranteed to be enabled on every installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.3 (Medium, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately captures the attack vector and authentication posture but understates operational impact on actively-used booking sites where mass appointment disruption carries real business consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker visits the target WordPress site, books a test appointment, and extracts their assigned `client_id` from the confirmation email. They enumerate the handful of staff IDs available on the booking page, then iterate over sequential `client_id` values (both above and below their own) combined with publicly visible appointment slot timestamps and each staff ID, computing MD5 hashes until a match is found against a target appointment. … |
| Remediation | Update the Wappointment plugin to the first release above version 2.7.6 that incorporates changeset 3546313 from the WordPress plugin SVN repository; consult the plugin changelog at wordpress.org/plugins/wappointment/#developers to confirm the patched version number, as the exact release version was not independently confirmed in available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41260
GHSA-x67v-h94m-3pj6