Skip to main content

Simply Schedule Appointments EUVDEUVD-2026-36812

| CVE-2026-42384 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-vxmf-3r42-mv9x
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Description explicitly states unauthenticated remote sensitive data exposure, so AV:N/AC:L/PR:N/UI:N with C:H and no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:04 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Simply Schedule Appointments is a WordPress appointment-booking plugin published by nsquared (CPE cpe:2.3:a:nsquared:simply_schedule_appointments). The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin returns data via an exposed surface - typically a REST/AJAX endpoint reachable from the WordPress front end - that should have been restricted to authenticated or privileged callers. Because WordPress plugins commonly expose /wp-json/ REST routes, a missing permission_callback or weak capability check is the typical mechanism behind this CWE in this ecosystem, allowing data intended for booking administrators or scheduled attendees to leak to anonymous requesters.

RemediationAI

Patch available per vendor advisory - upgrade the Simply Schedule Appointments plugin to version 1.6.11.2 or later via the WordPress plugin updater, and confirm details on the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-11-2-sensitive-data-exposure-vulnerability. If immediate patching is not possible, deactivate the plugin (side effect: appointment booking functionality is lost) or place the site behind a WAF / virtual patch (Patchstack, Wordfence) with a rule blocking anonymous requests to the plugin's REST/AJAX endpoints under /wp-json/ssa/ and admin-ajax.php?action=ssa_* (side effect: legitimate unauthenticated booking flows may break and require testing). Restricting access to the WordPress REST API for unauthenticated users is an additional compensating control but will impact any other plugin that relies on public REST routes.

CVE-2024-7129 HIGH POC
7.2 Sep 13

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu

CVE-2026-39493 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a

CVE-2022-2373 MEDIUM POC
5.3 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u

CVE-2024-2341 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-2342 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-7877 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2024-7876 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2022-2374 MEDIUM POC
4.8 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic

CVE-2026-39495 HIGH
8.5 Apr 08

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at

CVE-2023-50851 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm

CVE-2026-39447 HIGH
7.1 Jun 15

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1

CVE-2026-59523 MEDIUM
6.5 Jul 13

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un

Share

EUVD-2026-36812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy