MEDIUM 5.3

CVE-2026-6937: Unauthenticated Appointment Data Access in Simply Schedule Appointments Plugin

A WordPress plugin called 'Appointment Booking Calendar — Simply Schedule Appointments' has a flaw that allows anyone on the internet to view and modify appointment data without logging in. Attackers can change appointment details, payment status, meeting links, and steal customer information by exploiting a predictable security token that's visible in the HTML of booking pages. The vulnerability affects all versions up to 1.6.11.8.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-6937 is a missing authorization vulnerability in the Simply Schedule Appointments WordPress plugin's bulk appointments REST API endpoint. The plugin fails to enforce proper access controls, allowing unauthenticated requests to modify appointment records. The vulnerability is compounded by the use of a static, user-independent nonce value that persists in the HTML source of any page using the [ssa_booking] shortcode. This predictable nonce allows any visitor to the booking page to obtain the token needed to craft unauthorized API requests targeting any appointment record in the system, regardless of ownership.

Business impact

Organizations using this plugin to manage appointment bookings face exposure of customer personally identifiable information (PII), including contact details, meeting links, and potentially payment information. Attackers can modify appointment records, leading to customer confusion, operational disruption, failed meetings, and reputational damage. If payment status fields are altered, there is risk of financial reconciliation issues. The vulnerability is particularly dangerous for healthcare providers, legal firms, and service businesses that rely on this plugin for client-facing scheduling.

Affected systems

All WordPress installations running the Appointment Booking Calendar — Simply Schedule Appointments plugin at version 1.6.11.8 and earlier are vulnerable. The plugin must be actively deployed with the [ssa_booking] shortcode visible on at least one public page to expose the static nonce and create a practical attack vector.

Exploitability

Exploitability is high from a technical standpoint. The attack requires no authentication, no user interaction, and no complex steps—an attacker needs only to visit a public page hosting the booking shortcut to extract the nonce, then use standard HTTP requests to target the REST endpoint. The CVSS score of 5.3 (MEDIUM) reflects that the primary impact is integrity compromise rather than confidentiality or availability, but the low barrier to entry means this vulnerability is likely to be actively exploited once disclosed.

Remediation

Update the Appointment Booking Calendar — Simply Schedule Appointments plugin to a version newer than 1.6.11.8 as soon as it becomes available from the vendor. Verify the patch version against the official plugin repository or vendor advisory before deployment. As an interim measure, restrict access to pages containing the [ssa_booking] shortcode to authenticated users only, or use a Web Application Firewall (WAF) rule to block bulk API endpoint requests from unauthenticated sources.

Patch guidance

Monitor the WordPress plugin repository and vendor advisories for a patched version addressing this authorization flaw. Once available, apply the update to all affected WordPress installations without delay. Test the patched version in a staging environment to ensure compatibility with custom configurations or other plugins before production deployment. After patching, verify that the REST API endpoint now requires proper authentication and that nonce generation is user-dependent.

Detection guidance

Monitor WordPress server logs and WAF logs for POST or PUT requests to the `/wp-json/` endpoint paths associated with appointment endpoints, particularly from unauthenticated sources or requests containing the [ssa_booking] shortcode nonce. Track unusual modification patterns in appointment records, such as bulk changes to payment status or meeting URLs that don't correspond to legitimate user actions. Compare appointment modification logs against authenticated user session logs to identify unauthorized changes. Search your WordPress database and HTML source for instances of the [ssa_booking] shortcode and document which pages expose the static nonce.

Why prioritize this

Although the CVSS score is MEDIUM, this vulnerability should be prioritized for rapid patching because: (1) exploitation is trivial and requires no special privileges or user interaction; (2) customer PII exposure creates compliance and privacy risks; (3) appointment manipulation can directly damage customer trust and business operations; (4) the static nonce makes the vulnerability discoverable and exploitable at scale; and (5) the plugin is commonly used in customer-facing business workflows. Delay in patching increases the window of exposure for active exploitation.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a MEDIUM severity rating based on the vulnerability's integrity impact (modification of appointment records and PII) without requiring authentication or user interaction (AV:N, AC:L, PR:N, UI:N). However, the score does not fully capture the practical risk posed by the trivial exploitability and the exposure of customer PII, which may warrant elevated internal risk scoring depending on the sensitivity of data stored and the business context. Organizations handling regulated data (healthcare, financial) should treat this as HIGH priority despite the MEDIUM CVSS rating.

Frequently asked questions

Do I need to be logged into WordPress to exploit this vulnerability?

No. The vulnerability requires no authentication. Any visitor who has viewed a page containing the [ssa_booking] shortcode can extract the static nonce from the HTML source and use it to target the bulk appointments API endpoint without logging in.

What data is at risk?

Customer PII including names, email addresses, phone numbers, meeting URLs, payment status, and any other fields stored in appointment records are at risk of both exposure and unauthorized modification.

Is there a workaround if I cannot patch immediately?

You can restrict access to pages hosting the [ssa_booking] shortcode to logged-in users only as a temporary measure. Additionally, configure your WAF to block bulk API requests from unauthenticated sources. However, these are stopgap measures; patching should be completed as soon as a fix is available.

Will updating the plugin disrupt existing appointments or bookings?

A security patch should not affect existing appointment data. However, always test the update in a staging environment first to confirm compatibility with your specific WordPress configuration and any custom extensions before deploying to production.

This analysis is based on the vulnerability description and metadata available as of the publication date. Patch availability, affected version ranges, and vendor advisories should be verified directly with the WordPress plugin repository and the vendor before taking remediation action. SEC.co does not provide legal or compliance advice; organizations should assess their own risk tolerance and regulatory obligations. No exploit code or proof-of-concept is provided; this document is intended for defensive and awareness purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).