PT-2025-52418 · WordPress · Simply Schedule Appointments Booking Plugin
Marcin Dudek
·
Publicado
2025-12-19
·
Atualizado
2025-12-19
·
CVE-2025-13754
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Simply Schedule Appointments Booking Plugin for WordPress versions prior to 1.6.9.16
Description
The plugin exposes its admin embed endpoint at
/wp-json/ssa/v1/embed-inner-admin without authentication. This exposure leaks plugin settings, including staff names, business names, and configuration data not publicly displayed on the booking form. Unauthenticated attackers can extract private business configuration. In premium versions with integrations configured, this may also expose sensitive data including API keys for external services.Recommendations
Update to a version later than 1.6.9.16.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Simply Schedule Appointments Booking Plugin