Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.10.2.
AnalysisAI
Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.
Technical ContextAI
The vulnerability resides in the NSquared Simply Schedule Appointments WordPress plugin (CPE: cpe:2.3:a:nsquared:simply_schedule_appointments:*:*:*:*:*:*:*:*), classified as CWE-862 (Missing Authorization). This root cause indicates the plugin fails to enforce proper authorization checks on certain functionality, likely API endpoints or admin features. The access control misconfiguration allows unauthenticated users to bypass permission validation layers. As a WordPress plugin, the vulnerability likely affects the REST API or AJAX handlers that should restrict access based on user roles or capabilities but instead expose read-only data due to missing or improperly implemented authorization logic.
RemediationAI
Update Simply Schedule Appointments to a version newer than 1.6.10.2 as soon as a patch is released by NSquared. Because the exact patched version number is not confirmed in the provided data, administrators should monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-10-2-broken-access-control-vulnerability) and the plugin's official WordPress repository for version 1.6.10.3 or later. As an interim measure, review and tighten WordPress capability assignments for users accessing the affected plugin, and restrict direct API calls to the plugin's endpoints using web application firewalling if available.
More in Simply Schedule Appointments
View allThe Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu
Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm
Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2
Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20391
GHSA-p542-f77w-p389