CVE-2026-4807

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar versions prior to 1.6.10.7

Description Flawed authorization logic in the nonce permissions check() method, combined with the public exposure of a site-wide reusable nonce, allows unauthenticated attackers to view, delete, or modify any appointment. The plugin exposes a public nonce value through the '/wp-json/ssa/v1/embed-inner' endpoint. The appointment deletion endpoints '/wp-json/ssa/v1/appointments/{id}/delete' and '/wp-json/ssa/v1/appointments/bulk' accept requests containing an X-WP-Nonce header and an X-PUBLIC-Nonce header. If the X-WP-Nonce validation fails, the system falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Because the public nonce is accessible to all visitors and is not user-specific, it can be used to access the public edit url or delete appointments by ID, leading to sensitive data disclosure and loss of booking records.

Recommendations Update to a version later than 1.6.10.6.