Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 - Unauthenticated Sensitive Information Exposure
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 1.6.11.2 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<1.6.11.2What Changed in the Fix
Changes introduced in v1.6.11.2
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-42384 ## 1. Vulnerability Summary The **Simply Schedule Appointments (SSA)** plugin for WordPress is vulnerable to **Unauthenticated Sensitive Information Exposure** in versions up to 1.6.11.2. The vulnerability exists because several REST API endpoints, speci…
Show full research plan
Exploitation Research Plan: CVE-2026-42384
1. Vulnerability Summary
The Simply Schedule Appointments (SSA) plugin for WordPress is vulnerable to Unauthenticated Sensitive Information Exposure in versions up to 1.6.11.2. The vulnerability exists because several REST API endpoints, specifically those handling settings and debug information, were registered without proper permission_callback authorization checks. This allow an unauthenticated attacker to query these endpoints and retrieve sensitive configuration data, including third-party API keys (Mailchimp, Google, Twilio, Stripe), site configurations, and potentially appointment or customer details.
2. Attack Vector Analysis
- Endpoint: WordPress REST API Namespace
ssa/v1(inferred). - Target Routes:
/wp-json/ssa/v1/settings(Exposure of plugin settings)/wp-json/ssa/v1/debug(Exposure of system debug information)
- HTTP Method:
GET - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. Sensitive data (like API keys) is more likely to be found if the plugin has been configured by an administrator.
3. Code Flow
- During the
rest_api_inithook (likely inside theSSA_Settings_Apiclass orSimply_Schedule_Appointmentsinitialization), routes are registered usingregister_rest_route(). - In vulnerable versions, the
permission_callbackfor thesettingsanddebugroutes is either missing, returns__return_true, or lacks a check formanage_optionscapabilities. - An unauthenticated request to
/wp-json/ssa/v1/settingstriggers the handler (e.g.,get_settingsinSSA_Settings_Api). - The handler fetches all options from the
wp_optionstable (e.g., thessa_settingsoption) and returns them as a JSON response without verifying the requester's identity.
4. Nonce Acquisition Strategy
REST API endpoints in WordPress typically require a nonce (X-WP-Nonce) only when using cookie-based authentication for state-changing requests (POST, DELETE) or when the route explicitly mandates it. For unauthenticated information exposure via GET requests, the vulnerability implies the endpoint is accessible without a nonce.
If the endpoint does check for a nonce, SSA often localizes it in its booking widgets.
- Strategy:
- Create a page with the SSA booking shortcode:
[ssa_booking]. - Navigate to the page.
- Extract the nonce from the localized JS object using
browser_eval.
- Create a page with the SSA booking shortcode:
- Variable Name:
window.ssa_localized?.ssa_rest_nonce(inferred based on standard SSA JS architecture). - Note: The changelog states "Add Authorization to Settings REST API Endpoint", which strongly suggests the fix was adding a
permission_callbackcheck rather than a nonce check.
5. Exploitation Strategy
The goal is to retrieve the plugin's configuration settings which may contain API keys.
Request Settings: Perform an unauthenticated GET request to the settings endpoint.
- URL:
http://localhost:8080/wp-json/ssa/v1/settings - Method:
GET - Header:
Accept: application/json
- URL:
Request Debug Info: Perform an unauthenticated GET request to the debug endpoint.
- URL:
http://localhost:8080/wp-json/ssa/v1/debug - Method:
GET
- URL:
Analyze Response: Look for keys such as:
mailchimp_api_keygoogle_calendar_client_id/google_calendar_client_secretstripe_publishable_key/stripe_secret_keytwilio_account_sid/twilio_auth_token
6. Test Data Setup
To demonstrate a high-impact exposure, we need to populate the settings with dummy "sensitive" data.
# Set a dummy Mailchimp API key in the SSA settings
# SSA settings are usually stored in a serialized array in the 'ssa_settings' option.
wp eval '
$settings = get_option("ssa_settings", []);
$settings["mailchimp_api_key"] = "AK_SECRET_VULN_TEST_12345";
$settings["twilio_auth_token"] = "TOKEN_VULN_TEST_67890";
update_option("ssa_settings", $settings);
'
# Create a dummy appointment to see if appointment-related endpoints are also exposed
wp eval '
global $wpdb;
$wpdb->insert($wpdb->prefix . "ssa_appointments", [
"customer_information" => serialize(["email" => "victim@example.com", "name" => "Victim User"]),
"status" => "booked",
"appointment_type_id" => 1
]);
'
7. Expected Results
- Settings Endpoint: A successful response (
200 OK) containing a JSON object. The object should include the keysmailchimp_api_keyandtwilio_auth_tokenwith the values set in the test data. - Debug Endpoint: A JSON response containing system information, server paths, and potentially database version details.
8. Verification Steps
- Verify Response Content: Use the PoC agent to check if the string
AK_SECRET_VULN_TEST_12345is present in the HTTP response body. - Compare with Database: Use WP-CLI to confirm the retrieved value matches the database:
wp option get ssa_settings --format=json | grep "AK_SECRET_VULN_TEST_12345"
9. Alternative Approaches
If the routes /settings or /debug return 404 or 401, try the following variations:
- Variation 1 (Namespace check): Explore the namespace list to find the correct slug:
GET http://localhost:8080/wp-json/and look forssa/v1orssa/v2in thenamespacesarray. - Variation 2 (Specific setting sub-routes): Some plugins split settings:
GET http://localhost:8080/wp-json/ssa/v1/settings/mailchimpGET http://localhost:8080/wp-json/ssa/v1/settings/google-calendar - Variation 3 (Support Status): The main class mentions
support_status_api. Try:GET http://localhost:8080/wp-json/ssa/v1/support-status
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.