PT-2026-1398 · WordPress · Simply Schedule Appointments Booking Plugin
Lucas Montes
·
Published
2026-01-06
·
Updated
2026-01-08
·
CVE-2025-11723
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Simply Schedule Appointments Booking Plugin versions prior to 1.6.9.6
Description
The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin for WordPress is susceptible to sensitive information exposure due to the use of a hardcoded fall-back salt within the
hash() function. This allows unauthenticated attackers to generate a valid token on sites utilizing the plugin that haven’t manually configured a salt in the wp-config.php file. Successful exploitation enables access to booking information, potentially allowing attackers to make modifications.Recommendations
Update the Simply Schedule Appointments Booking Plugin to version 1.6.9.6 or later.
Manually set a salt in the
wp-config.php file to prevent the use of the hardcoded fall-back salt.Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simply Schedule Appointments Booking Plugin