Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.6.9.16Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-13754 ## 1. Vulnerability Summary The **Simply Schedule Appointments** plugin (<= 1.6.9.16) registers a REST API endpoint `/wp-json/ssa/v1/embed-inner-admin` intended for administrative use (embedding the admin interface). However, this endpoint lacks a prope…
Show full research plan
Exploitation Research Plan - CVE-2025-13754
1. Vulnerability Summary
The Simply Schedule Appointments plugin (<= 1.6.9.16) registers a REST API endpoint /wp-json/ssa/v1/embed-inner-admin intended for administrative use (embedding the admin interface). However, this endpoint lacks a proper permission_callback or fails to implement authorization checks, allowing any unauthenticated user to access it. The endpoint returns a JSON payload containing sensitive configuration data, including business details, staff names, and internal plugin settings not intended for public view.
2. Attack Vector Analysis
- Endpoint:
/wp-json/ssa/v1/embed-inner-admin - Method:
GET - Authentication: None Required (Unauthenticated)
- Parameter: None required for the basic leak, though query parameters might filter the output.
- Preconditions: The plugin must be installed and activated. Sensitive data (like staff names or business settings) should be configured to demonstrate the impact.
3. Code Flow (Inferred)
- Route Registration: The plugin likely registers the route during the
rest_api_inithook.- File (Inferred):
includes/class-ssa-rest-api.phporincludes/api/class-ssa-rest-embed.php. - Call:
register_rest_route( 'ssa/v1', '/embed-inner-admin', ... ).
- File (Inferred):
- Missing Permission Callback: The registration likely lacks the
'permission_callback'key or sets it to__return_true. - Callback Execution: When the endpoint is hit, a callback function (e.g.,
get_embed_inner_admin_data) is executed. - Data Retrieval: This function aggregates data from
get_option(e.g.,ssa_settings) and possibly custom post types for staff or appointment types. - Response: The aggregated data is returned as a
WP_REST_Response, which WordPress converts to JSON.
4. Nonce Acquisition Strategy
According to the vulnerability description, this is a Missing Authorization issue on a REST API endpoint.
- Standard WordPress REST Behavior: Typically,
GETrequests to REST API routes do not require a_wpnonceheader unless thepermission_callbackexplicitly checks for one viacurrent_user_can(). - Vulnerability Context: Since the vulnerability is that the endpoint is exposed unauthenticated, it is highly probable that no nonce or cookie is required to access this specific data.
- Verification: If the
http_requestreturns a 401 or 403, I will investigate if a frontend nonce is exposed (e.g., viassa_paramslocalized script) and if providing it in theX-WP-Nonceheader bypasses the check, though the "Missing Authorization" label suggests the endpoint is wide open.
5. Exploitation Strategy
- Target URL:
http://<target-site>/wp-json/ssa/v1/embed-inner-admin - Request Construction:
- Method:
GET - Tool:
http_request
- Method:
- Payload: None needed.
- Expected Response: A
200 OKstatus with a JSON object containing keys likesettings,business_name,staff, orappointment_types.
6. Test Data Setup
To confirm the leak is "sensitive," the environment should be populated with non-public information:
- Set Business Name:
wp option update ssa_settings '{"business_name": "Secret Admin Business", "admin_email": "admin@vulnerable.test"}'(Note: SSA uses complex JSON options, this is a simplified example). - Create Staff/Appointment Types: If possible via CLI, or verify default settings are leaked.
- Enable Integration: If testing a premium version, configure a mock API key in settings to see if it is included in the JSON response.
7. Expected Results
A successful exploit will return a JSON body containing information such as:
{
"settings": {
"business_name": "Secret Admin Business",
"admin_email": "admin@vulnerable.test",
"some_internal_key": "internal_value"
},
"staff": [
{
"id": 1,
"name": "Private Staff Member"
}
]
}
The absence of a "rest_forbidden" or "rest_cannot_access" error confirms the vulnerability.
8. Verification Steps
- Compare Response: Run
wp option get ssa_settings(or the equivalent option name used by SSA) via CLI. - Match: Verify that values found in the CLI output (which should be private) appear in the JSON response from the unauthenticated HTTP request.
- Check Context: Verify these settings are not visible on the standard public booking page (which usually only shows available times and appointment types).
9. Alternative Approaches
- Check for Query Params: If the response is empty, try adding common SSA parameters like
?appointment_type=...or?admin=true. - Frontend Nonce: If the endpoint requires a nonce despite being "unauthenticated" (a common SSA pattern for its frontend components), use
browser_navigateto the homepage, then:browser_eval("window.ssa_params?.nonce")orbrowser_eval("window.ssaData?.nonce").- Include this in the
X-WP-Nonceheader of thehttp_request. This would still be a vulnerability if the nonce is available to everyone and the endpoint allows access to admin-level data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.