[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYSQU3hn4hTblwxja9xYZvPJ2hxvsrdG7BFsv_lF4gWg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42384","appointment-booking-calendar-simply-schedule-appointments-booking-plugin-unauthenticated-sensitive-information-exposure-2","Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin \u003C 1.6.11.2 - Unauthenticated Sensitive Information Exposure","The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 1.6.11.2 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","simply-schedule-appointments",null,"\u003C1.6.11.2","1.6.11.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-27 00:00:00","2026-04-30 15:00:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef2e44ea-0049-4370-abd0-0b631e3d2d37?source=api-prod",4,[22,23,24,25,26,27,28,29],"CHANGELOG.md","includes\u002Fclass-appointment-model.php","includes\u002Fclass-elementor.php","includes\u002Fclass-notifications.php","includes\u002Fclass-paypal-ipn-listener.php","readme.txt","simply-schedule-appointments.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-42384\n\n## 1. Vulnerability Summary\nThe **Simply Schedule Appointments (SSA)** plugin for WordPress is vulnerable to **Unauthenticated Sensitive Information Exposure** in versions up to 1.6.11.2. The vulnerability exists because several REST API endpoints, specifically those handling settings and debug information, were registered without proper `permission_callback` authorization checks. This allow an unauthenticated attacker to query these endpoints and retrieve sensitive configuration data, including third-party API keys (Mailchimp, Google, Twilio, Stripe), site configurations, and potentially appointment or customer details.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API Namespace `ssa\u002Fv1` (inferred).\n*   **Target Routes:** \n    *   `\u002Fwp-json\u002Fssa\u002Fv1\u002Fsettings` (Exposure of plugin settings)\n    *   `\u002Fwp-json\u002Fssa\u002Fv1\u002Fdebug` (Exposure of system debug information)\n*   **HTTP Method:** `GET`\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. Sensitive data (like API keys) is more likely to be found if the plugin has been configured by an administrator.\n\n## 3. Code Flow\n1.  During the `rest_api_init` hook (likely inside the `SSA_Settings_Api` class or `Simply_Schedule_Appointments` initialization), routes are registered using `register_rest_route()`.\n2.  In vulnerable versions, the `permission_callback` for the `settings` and `debug` routes is either missing, returns `__return_true`, or lacks a check for `manage_options` capabilities.\n3.  An unauthenticated request to `\u002Fwp-json\u002Fssa\u002Fv1\u002Fsettings` triggers the handler (e.g., `get_settings` in `SSA_Settings_Api`).\n4.  The handler fetches all options from the `wp_options` table (e.g., the `ssa_settings` option) and returns them as a JSON response without verifying the requester's identity.\n\n## 4. Nonce Acquisition Strategy\nREST API endpoints in WordPress typically require a nonce (`X-WP-Nonce`) only when using cookie-based authentication for state-changing requests (POST, DELETE) or when the route explicitly mandates it. For unauthenticated information exposure via `GET` requests, the vulnerability implies the endpoint is accessible **without** a nonce.\n\nIf the endpoint *does* check for a nonce, SSA often localizes it in its booking widgets.\n*   **Strategy:**\n    1.  Create a page with the SSA booking shortcode: `[ssa_booking]`.\n    2.  Navigate to the page.\n    3.  Extract the nonce from the localized JS object using `browser_eval`.\n*   **Variable Name:** `window.ssa_localized?.ssa_rest_nonce` (inferred based on standard SSA JS architecture).\n*   **Note:** The changelog states \"Add Authorization to Settings REST API Endpoint\", which strongly suggests the fix was adding a `permission_callback` check rather than a nonce check.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve the plugin's configuration settings which may contain API keys.\n\n1.  **Request Settings:** Perform an unauthenticated GET request to the settings endpoint.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fssa\u002Fv1\u002Fsettings`\n    *   **Method:** `GET`\n    *   **Header:** `Accept: application\u002Fjson`\n\n2.  **Request Debug Info:** Perform an unauthenticated GET request to the debug endpoint.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fssa\u002Fv1\u002Fdebug`\n    *   **Method:** `GET`\n\n3.  **Analyze Response:** Look for keys such as:\n    *   `mailchimp_api_key`\n    *   `google_calendar_client_id` \u002F `google_calendar_client_secret`\n    *   `stripe_publishable_key` \u002F `stripe_secret_key`\n    *   `twilio_account_sid` \u002F `twilio_auth_token`\n\n## 6. Test Data Setup\nTo demonstrate a high-impact exposure, we need to populate the settings with dummy \"sensitive\" data.\n\n```bash\n# Set a dummy Mailchimp API key in the SSA settings\n# SSA settings are usually stored in a serialized array in the 'ssa_settings' option.\nwp eval '\n$settings = get_option(\"ssa_settings\", []);\n$settings[\"mailchimp_api_key\"] = \"AK_SECRET_VULN_TEST_12345\";\n$settings[\"twilio_auth_token\"] = \"TOKEN_VULN_TEST_67890\";\nupdate_option(\"ssa_settings\", $settings);\n'\n\n# Create a dummy appointment to see if appointment-related endpoints are also exposed\nwp eval '\nglobal $wpdb;\n$wpdb->insert($wpdb->prefix . \"ssa_appointments\", [\n    \"customer_information\" => serialize([\"email\" => \"victim@example.com\", \"name\" => \"Victim User\"]),\n    \"status\" => \"booked\",\n    \"appointment_type_id\" => 1\n]);\n'\n```\n\n## 7. Expected Results\n*   **Settings Endpoint:** A successful response (`200 OK`) containing a JSON object. The object should include the keys `mailchimp_api_key` and `twilio_auth_token` with the values set in the test data.\n*   **Debug Endpoint:** A JSON response containing system information, server paths, and potentially database version details.\n\n## 8. Verification Steps\n1.  **Verify Response Content:** Use the PoC agent to check if the string `AK_SECRET_VULN_TEST_12345` is present in the HTTP response body.\n2.  **Compare with Database:** Use WP-CLI to confirm the retrieved value matches the database:\n    ```bash\n    wp option get ssa_settings --format=json | grep \"AK_SECRET_VULN_TEST_12345\"\n    ```\n\n## 9. Alternative Approaches\nIf the routes `\u002Fsettings` or `\u002Fdebug` return `404` or `401`, try the following variations:\n*   **Variation 1 (Namespace check):** Explore the namespace list to find the correct slug:\n    `GET http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002F` and look for `ssa\u002Fv1` or `ssa\u002Fv2` in the `namespaces` array.\n*   **Variation 2 (Specific setting sub-routes):** Some plugins split settings:\n    `GET http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fssa\u002Fv1\u002Fsettings\u002Fmailchimp`\n    `GET http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fssa\u002Fv1\u002Fsettings\u002Fgoogle-calendar`\n*   **Variation 3 (Support Status):** The main class mentions `support_status_api`. Try:\n    `GET http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fssa\u002Fv1\u002Fsupport-status`","gemini-3-flash-preview","2026-05-04 18:26:11","2026-05-04 18:26:43",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.6.11.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags\u002F1.6.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimply-schedule-appointments.1.6.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags\u002F1.6.11.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimply-schedule-appointments.1.6.11.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags"]