Skip to main content

Simply Schedule Appointments EUVDEUVD-2026-20391

| CVE-2026-39694 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-p542-f77w-p389
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20391
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.10.2.

AnalysisAI

Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.

Technical ContextAI

The vulnerability resides in the NSquared Simply Schedule Appointments WordPress plugin (CPE: cpe:2.3:a:nsquared:simply_schedule_appointments:*:*:*:*:*:*:*:*), classified as CWE-862 (Missing Authorization). This root cause indicates the plugin fails to enforce proper authorization checks on certain functionality, likely API endpoints or admin features. The access control misconfiguration allows unauthenticated users to bypass permission validation layers. As a WordPress plugin, the vulnerability likely affects the REST API or AJAX handlers that should restrict access based on user roles or capabilities but instead expose read-only data due to missing or improperly implemented authorization logic.

RemediationAI

Update Simply Schedule Appointments to a version newer than 1.6.10.2 as soon as a patch is released by NSquared. Because the exact patched version number is not confirmed in the provided data, administrators should monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-10-2-broken-access-control-vulnerability) and the plugin's official WordPress repository for version 1.6.10.3 or later. As an interim measure, review and tighten WordPress capability assignments for users accessing the affected plugin, and restrict direct API calls to the plugin's endpoints using web application firewalling if available.

CVE-2024-7129 HIGH POC
7.2 Sep 13

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu

CVE-2026-39493 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a

CVE-2022-2373 MEDIUM POC
5.3 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u

CVE-2024-2341 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-2342 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-7877 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2024-7876 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2022-2374 MEDIUM POC
4.8 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic

CVE-2026-39495 HIGH
8.5 Apr 08

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at

CVE-2023-50851 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm

CVE-2026-42384 HIGH
7.5 Jun 15

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2

CVE-2026-39447 HIGH
7.1 Jun 15

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1

Share

EUVD-2026-20391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy