CVE-2026-3045

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar — Simply Schedule Appointments versions through 1.6.9.29

Description The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is susceptible to unauthorized access of sensitive data. This occurs because a public nonce not tied to a specific user is exposed to unauthenticated users through the /wp-json/ssa/v1/embed-inner REST endpoint. Additionally, the get item() method within SSA Settings Api utilizes nonce permissions check() for authorization, which accepts this public nonce, but fails to call remove unauthorized settings for current user() to filter restricted fields. This allows unauthenticated attackers to access administrator-only plugin settings, including the administrator's email address, phone number, internal access tokens, notification configurations, and developer settings via the /wp-json/ssa/v1/settings/{section} endpoint. Exposure of appointment tokens also enables attackers to modify or cancel appointments.

Recommendations Versions through 1.6.9.29 should be updated to a newer, fixed version. As a temporary workaround, consider restricting access to the /wp-json/ssa/v1/embed-inner endpoint. Additionally, temporarily disable the SSA Settings Api module if possible.