Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Endpoint reachable over network (AV:N), contributor login required (PR:L), only booking PII disclosed with no write or availability impact (C:L/I:N/A:N), no scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.
AnalysisAI
Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected cpabc_appointments_filter_list AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at least contributor-level role (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the threat model: the attack is network-reachable, requires no special conditions, and needs only a contributor-level WordPress account, but the impact is limited to confidentiality of booking PII with no integrity or availability consequence and no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a contributor-level WordPress account on a target site running the Appointment Booking Calendar plugin. They send an authenticated POST request to `wp-admin/admin-ajax.php` with `action=cpabc_appointments_filter_list` and any required nonce, and the server responds with the full appointment booking dataset containing customer names, email addresses, phone numbers, and appointment comments. … |
| Remediation | Update the Appointment Booking Calendar plugin to the version that incorporates SVN changeset 3581633, which reflects the upstream source-level fix committed to the plugin's trunk; however, the specific patched release version number is not independently confirmed in the available data - verify the current version in the WordPress plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Appointment Booking Calendar
View allThe Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could al
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea para
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. Rated high severity (
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. Rated medium severity (CVSS 4.
SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar pl
Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.0
Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appoint
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionali
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40903
GHSA-jg95-92mw-5qqj