WordPress Simply Schedule Appointments Missing Authorization Arbitrary Modification (CVE-2026-6937)

Vulnerability Overview Vulnerability Name: Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint CVE ID: CVE-2026-6937 CVSS Score: 5.3 (Medium) Publication Date: May 27, 2026 Last Updated: May 28, 2026 Researcher: wnrae Impact Scope Affected Versions: <= 1.6.11.8 Fixed Version: 1.6.11.9 Software Type: Plugin Software Slug: simply-schedule-appointments (view on wordpress.org) Patched: Yes Remediation Remediation Advice: Update to version 1.6.11.9 or later patched versions. Vulnerability Description The vulnerability exists in the Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin plugin, affecting all versions <= 1.6.11.8. Due to improper validation of user permissions for operations performed via the bulk appointments REST API endpoint, unauthenticated attackers can arbitrarily modify appointment records, including customer PII, payment status, and meeting URL fields, and expose complete customer PII from existing appointment records. Public notifications are static, user-independent values present in the HTML source; anyone accessing the page can retrieve them and use them to target any appointment in the system without authentication. Reference Links plugins.trac.wordpress.org Share Options Facebook X (Twitter) LinkedIn Email Additional Information Recently Discovered Vulnerabilities: - CVE-2026-39447: Stored Cross-Site Scripting - CVE-2026-7797: Unauthenticated SQL Injection via 'append_where_sql' Parameter - CVE-2026-7493: Unauthenticated Denial of Service - CVE-2026-4807: Unauthenticated Arbitrary Appointment View, Modification and Deletion - CVE-2026-42384: Unauthenticated Sensitive Information Exposure - CVE-2026-39493: Unauthenticated SQL Injection - CVE-2026-39495: Authenticated (Contributor) SQL Injection - CVE-2026-3658: Unauthenticated SQL Injection via 'fields' Parameter - CVE-2026-3045: Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint - CVE-2026-1704: Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure Copyright Information Copyright: 2012-2026 Defiant Inc. License: Defiant grants users a perpetual, worldwide, non-exclusive, irrevocable copyright license to copy, prepare derivative works, publicly display, publicly perform, sublicense, and distribute this vulnerability information. Contact Information Technical Support: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24-hour support, 365 days a year, with a 1-hour response time Other Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media Facebook Twitter LinkedIn Instagram Products and Services Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Subscription Updates Email Subscription: Enter email address to subscribe to news and updates Copyright Notice © 2012-2026 Defiant Inc. All Rights Reserved Additional Information Wordfence Intelligence: Offers free personal and commercial API access to a comprehensive WordPress vulnerability database, as well as free webhook integration to stay ahead of newly added and updated vulnerabilities in the database. Wordfence: Install Wordfence to receive immediate notifications of the latest vulnerabilities affecting your WordPress site. Documentation: View documentation to learn how to access and consume vulnerability data. Summary This page details a vulnerability in the Appointment Booking Calendar plugin, providing a vulnerability overview, impact scope, remediation advice, reference links, share options, recently discovered vulnerabilities, copyright information, contact information, other links, social media, products and services, subscription updates, copyright notice, and other related information.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Simply Schedule Appointments Missing Authorization Arbitrary Modification (CVE-2026-6937)

More from this source