CVE-2026-2262

Name of the Vulnerable Software and Affected Versions Easy Appointments plugin for WordPress versions prior to 3.12.22

Description Sensitive information exposure occurs via the '/wp-json/wp/v2/eablocks/ea appointments/' REST API endpoint. The issue arises because the endpoint is registered with the permission callback variable set to return true, allowing access without authentication or authorization checks. Unauthenticated attackers can extract customer appointment data, including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Recommendations Update the plugin to a version later than 3.12.21. As a temporary workaround, restrict access to the '/wp-json/wp/v2/eablocks/ea appointments/' endpoint to minimize the risk of exploitation.