Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin Vulnerability (CVE-2026-6937)

Security Alert Summary

The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin for WordPress contains a missing authorization vulnerability in its bulk appointments REST API endpoint. An attacker who can obtain a static public nonce exposed in pages using the [ssa_booking] shortcode may be able to modify appointment records (including customer PII, payment status, and meeting URL fields) and retrieve full customer PII from existing records via the bulk endpoint response without authenticating.

CVE Details

• CVE ID: CVE-2026-6937
• Affected plugin/component: Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin (plugin for WordPress)
• Affected versions: All versions up to, and including, 1.6.11.8
• Published: May 28, 2026 at 9:16:48 AM
• Last modified: May 28, 2026 at 1:45:25 PM
• CVSS v3.1: Base Score 5.3, Severity MEDIUM, Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• Authentication / Privileges / User Interaction:
  • Authentication required: No (unauthenticated)
  • Privileges required: None
  • User interaction: None
• Primary impact:
  • Confidentiality: None (CVSS reports no confidentiality impact for the base vector, though the endpoint response can expose customer PII as described)
  • Integrity: Low (ability to modify appointment records, including PII, payment status, and meeting URLs)
  • Availability: None
• Weakness (CWE): CWE-862

Technical Details

This issue is a missing authorization check in the plugin’s bulk appointments REST API endpoint. The plugin does not properly verify that the requesting user is authorized to perform actions on appointment records before processing bulk requests. A static, user-independent public nonce present in the HTML of any page that includes the [ssa_booking] shortcode can be obtained by visitors to those pages. Because the nonce is static and available in page source, an attacker who has viewed such a page can supply that value to the bulk endpoint and interact with appointment records without authenticating.

The lack of authorization allows modification of arbitrary appointment fields (customer personally identifiable information, payment status, and meeting URL fields) and can cause the bulk endpoint response to return full customer PII from existing appointment records. The vulnerability arises from missing server-side authorization checks on the REST endpoint combined with a publicly exposed nonce that does not enforce per-user authorization.

How This Could Impact Your Website

In a realistic scenario, a site owner publishes booking pages that include the [ssa_booking] shortcode. An external visitor who inspects the page source can obtain the static public nonce. That visitor could then target the bulk appointments endpoint to view or modify appointment details. Internal staff or external contractors who manage appointments could find customer emails, phone numbers, or meeting links exposed or altered without any compromised account credentials.

Possible practical consequences include exposure of customer contact details, altered payment or meeting status for appointments, and increased risk of targeted phishing or social engineering against your customers or staff using exposed data. If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor-level and other roles with appointment access.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and shortcodes from public-facing pages.
• Monitor site activity and appointment records for unusual reads or modifications.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/class-appointment-model.php#L724
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/class-bootstrap.php#L151
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/lib/td-util/class-td-api-model.php#L74
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/class-appointment-model.php#L724
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/class-bootstrap.php#L151
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/lib/td-util/class-td-api-model.php#L74
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L724
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-bootstrap.php#L151
• https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L74
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3549843%40simply-schedule-appointments&new=3549843%40simply-schedule-appointments&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/ef0f5f9d-788a-4cf8-9747-ada076a69a1f?source=cve