{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3045", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-23T17:29:24.802Z", "datePublished": "2026-03-13T07:23:38.549Z", "dateUpdated": "2026-03-13T07:23:38.549Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-13T07:23:38.549Z"}, "affected": [{"vendor": "croixhaug", "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.6.9.29", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments."}], "title": "Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-settings-api.php#L128"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-api-model.php#L361"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-bootstrap.php#L151"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=#file0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief"}], "timeline": [{"time": "2026-02-23T17:48:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-12T19:14:03.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{}