Skip to main content

Appointment Booking Calendar EUVDEUVD-2026-28236

| CVE-2026-4807 MEDIUM
Missing Authorization (CWE-862)
2026-05-07 Wordfence GHSA-x96p-55v7-jmrq
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 03:15 vuln.today
CVE Published
May 07, 2026 - 02:27 nvd
MEDIUM 6.5

DescriptionCVE.org

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records.

AnalysisAI

Appointment Booking Calendar plugin for WordPress up to version 1.6.10.6 allows unauthenticated attackers to view, delete, and modify arbitrary appointments due to missing authorization checks in REST API endpoints. The plugin exposes a site-wide public nonce through an unauthenticated endpoint (/wp-json/ssa/v1/embed-inner), and the appointment deletion and modification endpoints (/wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk) accept requests with this public nonce even when standard WordPress nonce validation fails, bypassing authorization entirely. Attackers can enumerate and delete appointment records, disclose sensitive booking data, and disrupt services without any authentication.

Technical ContextAI

The vulnerability stems from a flawed nonce-based authorization mechanism in the plugin's REST API implementation (specifically the nonce_permissions_check() method in the TD-API-Model class). WordPress nonces are typically user-specific, request-specific tokens; however, this plugin generates a site-wide public nonce exposed via the /wp-json/ssa/v1/embed-inner endpoint to unauthenticated users. The flaw lies in a cascading validation logic where if the standard X-WP-Nonce header validation fails, the code falls back to accepting X-PUBLIC-Nonce without properly rejecting the overall request. Since the public nonce is static, site-wide, and unauthenticated, it becomes a bypass mechanism rather than a security control. The underlying root cause is CWE-862 (Missing Authorization), compounded by improper error handling and trust in a supposedly-public security token. The affected endpoints are part of the WordPress REST API route /wp-json/ssa/v1/, which is publicly accessible by default in WordPress.

RemediationAI

Update the Appointment Booking Calendar plugin immediately to version 1.6.10.7 or later, which should contain the authorization logic fix. Administrators can verify the update via the WordPress plugin dashboard or manually download from plugins.trac.wordpress.org. For organizations unable to update immediately, implement the following compensating controls: (1) restrict REST API access to /wp-json/ssa/v1/* endpoints by IP whitelist (web server configuration) if only internal or known-client access is required-this blocks unauthenticated external reconnaissance; (2) disable the plugin entirely if not actively used and re-enable only when patched; (3) monitor WordPress access logs for unusual POST/DELETE requests to /wp-json/ssa/v1/appointments endpoints from untrusted sources and alert on repeated 200/204 responses to delete operations. Note that IP whitelisting has operational overhead for multi-user or cloud-hosted environments and may block legitimate customers if the booking flow depends on REST API. Disabling the plugin stops new bookings entirely. Log monitoring is detective-only and does not prevent exploitation but enables incident response. Patching is the only complete mitigation.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-28236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy