PT-2026-25152 · Croixhaug · The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Itthidej Aramsri
·
Published
2026-03-13
·
Updated
2026-03-13
·
CVE-2026-1704
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Simply Schedule Appointments Booking Plugin versions prior to 1.6.9.30
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This occurs because the
get item permissions check method allows access to users possessing the ssa manage appointments capability without verifying staff ownership of the appointment. This allows authenticated attackers with custom-level access or higher (users with the ssa manage appointments capability, like Team Members) to view appointment records belonging to other staff members and access sensitive customer personally identifiable information through the appointment ID parameter.Recommendations
Update Simply Schedule Appointments Booking Plugin to version 1.6.9.30 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin