Appointment Bookings For Zoom Googlemeet And More Wappointment
Monthly
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.