CVE-2025-13754

Name of the Vulnerable Software and Affected Versions Simply Schedule Appointments Booking Plugin for WordPress versions prior to 1.6.9.16

Description The plugin exposes its admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without authentication. This exposure leaks plugin settings, including staff names, business names, and configuration data not publicly displayed on the booking form. Unauthenticated attackers can extract private business configuration. In premium versions with integrations configured, this may also expose sensitive data including API keys for external services.

Recommendations Update to a version later than 1.6.9.16.