CVE-2026-4807

May 7, 2026, 2 p.m.

6.5
Medium

Description

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records.

Product(s) Impacted

Vendor Product Versions
Appointment Booking Calendar
  • Appointment Booking Calendar
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a appointment_booking_calendar appointment_booking_calendar / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/booking-app-new/iframe-inner.php#L444
https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-appointment-model.php#L698
https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-bootstrap.php#L151
https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-shortcodes.php#L889
https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L110
https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L361
https://plugins.trac.wordpress.org/changeset/3511993/simply-schedule-appointments/trunk/includes
https://www.wordfence.com/threat-intel/vulnerabilities/id/436ab843-7729-4d57-9c9e-2ede2f101ddb?source=cve

Tags

[email protected]
CWE-862
2026-05-07
CVE-2026-4807

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

    View Vector String

Timeline

Published: May 7, 2026, 3:16 a.m.
Last Modified: May 7, 2026, 2 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.