Skip to main content

Simply Schedule Appointments EUVDEUVD-2026-43434

| CVE-2026-59523 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable plugin endpoint with no auth required (PR:N), low complexity; partial C and I impact only, no availability impact per description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:17 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.11.11.

AnalysisAI

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Exploit
Send unauthenticated HTTP request to plugin endpoint
Execution
Bypass missing authorization check
Impact
Access or modify protected appointment data

Vulnerability AssessmentAI

Exploitation The vulnerability is exploitable against any WordPress installation running Simply Schedule Appointments version 1.6.11.11 or earlier where the plugin is active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) scores 6.5 (Medium), indicating network-reachable, low-complexity, unauthenticated exploitation with partial confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends crafted HTTP requests to a vulnerable Simply Schedule Appointments endpoint on a WordPress site running version 1.6.11.11 or earlier, bypassing the plugin's access control checks to read appointment data or modify scheduling records that should require elevated privileges. No public exploit code has been identified at time of analysis, but the low attack complexity and SSVC Automatable: yes rating indicate that automated scanning tools could trivially probe and exploit this at scale across WordPress installations. …
Remediation Update the Simply Schedule Appointments plugin to a version beyond 1.6.11.11 via the WordPress admin dashboard (Plugins > Installed Plugins > Update). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7129 HIGH POC
7.2 Sep 13

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu

CVE-2026-39493 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a

CVE-2022-2373 MEDIUM POC
5.3 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u

CVE-2024-2341 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-2342 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-7877 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2024-7876 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2022-2374 MEDIUM POC
4.8 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic

CVE-2026-39495 HIGH
8.5 Apr 08

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at

CVE-2023-50851 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm

CVE-2026-42384 HIGH
7.5 Jun 15

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2

CVE-2026-39447 HIGH
7.1 Jun 15

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1

Share

EUVD-2026-43434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy