CVE-2026-23622

Name of the Vulnerable Software and Affected Versions Easy!Appointments versions 1.5.2 and earlier

Description The application's CSRF protection in application/core/EA Security.php::csrf verify() only applies to POST requests, bypassing validation for other request methods like GET. Several application endpoints accept state-changing parameters via GET or $ REQUEST, allowing an attacker to perform Cross-Site Request Forgery (CSRF) by crafting a malicious GET request. This can lead to the creation of admin accounts, modification of admin email/password, and full admin account takeover. Vulnerable API endpoints include: ''/admins/store'', ''/admins/update'', and ''/account/save''. The vulnerable parameters include admin[first name], admin[last name], admin[email], admin[mobile number], admin[phone number], admin[address], admin[city], admin[state], admin[zip code], admin[notes], admin[language], admin[timezone], admin[settings][username], admin[settings][notifications], admin[settings][calendar view], admin[settings][password], and admin[id].

Recommendations Versions prior to 1.5.2: Enforce CSRF checks for all request methods, or require a valid CSRF token for all methods unless the URI is explicitly whitelisted. As a long-term solution, update controllers to accept only the proper HTTP method (POST/PUT/DELETE) for state-changing actions. Consider requiring re-authentication or confirmation for critical operations like email/password changes.