Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description explicitly states unauthenticated remote sensitive data exposure, so AV:N/AC:L/PR:N/UI:N with C:H and no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Simply Schedule Appointments is a WordPress appointment-booking plugin published by nsquared (CPE cpe:2.3:a:nsquared:simply_schedule_appointments). The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin returns data via an exposed surface - typically a REST/AJAX endpoint reachable from the WordPress front end - that should have been restricted to authenticated or privileged callers. Because WordPress plugins commonly expose /wp-json/ REST routes, a missing permission_callback or weak capability check is the typical mechanism behind this CWE in this ecosystem, allowing data intended for booking administrators or scheduled attendees to leak to anonymous requesters.
RemediationAI
Patch available per vendor advisory - upgrade the Simply Schedule Appointments plugin to version 1.6.11.2 or later via the WordPress plugin updater, and confirm details on the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-11-2-sensitive-data-exposure-vulnerability. If immediate patching is not possible, deactivate the plugin (side effect: appointment booking functionality is lost) or place the site behind a WAF / virtual patch (Patchstack, Wordfence) with a rule blocking anonymous requests to the plugin's REST/AJAX endpoints under /wp-json/ssa/ and admin-ajax.php?action=ssa_* (side effect: legitimate unauthenticated booking flows may break and require testing). Restricting access to the WordPress REST API for unauthenticated users is an additional compensating control but will impact any other plugin that relies on public REST routes.
More in Simply Schedule Appointments
View allThe Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu
Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm
Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1
Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36812
GHSA-vxmf-3r42-mv9x