[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flUiozr4kPpWzNrApEIXPEqRWkxhup7sUN_5n-beNf0o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-39694","simply-schedule-appointments-missing-authorization-2","Simply Schedule Appointments \u003C= 1.6.11.0 - Missing Authorization","The Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.6.11.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","simply-schedule-appointments",null,"\u003C=1.6.11.0","1.6.11.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-26 00:00:00","2026-05-05 18:31:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd48899b9-b3b3-45d7-b7e1-6a8560becb0b?source=api-prod",69,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39694\n\n## 1. Vulnerability Summary\nThe **Simply Schedule Appointments** plugin (\u003C= 1.6.10.4) is vulnerable to **Missing Authorization**. The vulnerability exists in one of the plugin's AJAX or REST API handlers (likely related to appointment management) that fails to verify the user's identity or capabilities before performing a state-changing action. This allows an unauthenticated attacker to perform actions that should be restricted, such as canceling appointments, modifying customer details, or potentially tampering with scheduling settings.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** WordPress REST API or AJAX.\n    *   **REST Route (Inferred):** `\u002Fwp-json\u002Fssa\u002Fv1\u002Fappointments\u002F\u003Cid>`\n    *   **AJAX Action (Inferred):** `ssa_cancel_appointment` or `ssa_update_appointment`\n*   **HTTP Method:** `POST` or `DELETE`\n*   **Authentication:** Unauthenticated (`nopriv`).\n*   **Parameter:** `appointment_id` (The ID of the appointment to target).\n*   **Preconditions:** The plugin must be active and at least one appointment must exist in the system (or the attacker must know\u002Fguess a valid appointment ID).\n\n## 3. Code Flow (Inferred)\n1.  The plugin registers REST routes or AJAX handlers during `init` or `rest_api_init`.\n2.  A handler (e.g., `cancel_appointment` in a REST controller or AJAX class) is defined.\n3.  The handler is registered with `permission_callback => '__return_true'` or lacks a `current_user_can()` check entirely.\n4.  The function takes an `appointment_id` from the request.\n5.  It calls a business logic function (e.g., `SSA_Appointments::cancel()`) to update the database.\n6.  Since there is no verification that the current user owns the appointment or has administrative rights, the action succeeds for any valid ID.\n\n## 4. Nonce Acquisition Strategy\nSimply Schedule Appointments frequently uses the WordPress REST API or custom AJAX. To perform unauthenticated requests that require a nonce (if the `wp_rest` nonce is checked), we can extract it from the frontend where the booking calendar is rendered.\n\n1.  **Identify Shortcode:** The plugin's primary shortcode is `[ssa_booking]`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Booking Test\" --post_status=publish --post_content='[ssa_booking]'\n    ```\n3.  **Navigate and Extract:** Use `browser_navigate` to the new page.\n4.  **JavaScript Extraction:** The plugin localizes data into a JavaScript object. Based on common SSA versions, we will look for `ssa_booking_settings` or `ssa_booking_data`.\n    *   **Variable Name:** `window.ssa_booking_settings` (inferred)\n    *   **Nonce Key:** `nonce` or `rest_nonce`\n    *   **Command:** `browser_eval(\"window.ssa_booking_settings?.rest_nonce || window.ssa_booking_data?.nonce\")`\n\n## 5. Exploitation Strategy\nWe will attempt to cancel an appointment as an unauthenticated user using the REST API.\n\n### Step 1: Discover Appointment IDs\nIf no IDs are known, we can attempt to list them (if the listing endpoint is also unauthorized) or guess a low integer ID.\n\n### Step 2: Send Cancel Request\n*   **Endpoint:** `\u002Fwp-json\u002Fssa\u002Fv1\u002Fappointments\u002F\u003CID>\u002Fcancel` (or similar POST endpoint)\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n*   **Payload:** `{}` (Parameters may be in the URL)\n\n**Example Request:**\n```http\nPOST \u002Fwp-json\u002Fssa\u002Fv1\u002Fappointments\u002F123\u002Fcancel HTTP\u002F1.1\nHost: target.local\nContent-Type: application\u002Fjson\nX-WP-Nonce: a1b2c3d4e5\n\n{}\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `simply-schedule-appointments` is installed and active.\n2.  **Create Appointment Type:**\n    *   Use WP-CLI to create an appointment type if possible, or navigate to the SSA admin dashboard and create a \"Consultation\" type.\n3.  **Create a Target Appointment:**\n    *   Submit an appointment via the frontend as a \"Victim\" user (this creates the ID we will target).\n    *   Note the Appointment ID from the database: `wp db query \"SELECT id FROM wp_ssa_appointments LIMIT 1;\"`\n\n## 7. Expected Results\n*   **Success Response:** A `200 OK` or `204 No Content` response, often returning a JSON object indicating the status is now \"cancelled\".\n*   **Impact:** The appointment status in the database changes from `scheduled` or `pending` to `cancelled` without the attacker ever logging in or providing a private \"cancellation hash\".\n\n## 8. Verification Steps\n1.  Check the database state using WP-CLI:\n    ```bash\n    wp db query \"SELECT status FROM wp_ssa_appointments WHERE id = \u003CTARGET_ID>;\"\n    ```\n2.  Confirm the status is `cancelled`.\n3.  Check the plugin's internal logs (if enabled) to see if the action was logged as performed by an anonymous user.\n\n## 9. Alternative Approaches\nIf the REST API is properly protected, the vulnerability may reside in the legacy AJAX handlers:\n*   **Action:** `ssa_cancel_appointment`\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Payload:** `action=ssa_cancel_appointment&appointment_id=\u003CID>&nonce=[NONCE]`\n\nIf simple ID-based cancellation is patched, check if the \"Customer Update\" endpoint allows changing the `email` or `name` of an existing appointment without authorization:\n*   **Endpoint:** `\u002Fwp-json\u002Fssa\u002Fv1\u002Fcustomers\u002F\u003CID>`\n*   **Method:** `POST`\n*   **Payload:** `{\"email\": \"attacker@evil.com\"}` (Changing the notification email allows an attacker to take over subsequent communication).","The Simply Schedule Appointments plugin for WordPress (versions up to and including 1.6.10.4) is vulnerable to unauthorized access due to missing capability checks on its REST API or AJAX handlers. This allows unauthenticated attackers to perform sensitive actions, such as canceling appointments or modifying customer data, by interacting with vulnerable endpoints that fail to verify the requester's identity or permissions.","1. Identify a valid appointment ID to target (e.g., through enumeration or discovery).\n2. Extract a valid REST API nonce from a public page where the [ssa_booking] shortcode is present; the nonce is typically located within the 'ssa_booking_settings' or 'ssa_booking_data' JavaScript object in the page source.\n3. Send an unauthenticated HTTP POST request to the vulnerable REST endpoint, such as '\u002Fwp-json\u002Fssa\u002Fv1\u002Fappointments\u002F\u003CID>\u002Fcancel', or an AJAX request to 'admin-ajax.php' using the 'ssa_cancel_appointment' action.\n4. Include the retrieved nonce in the request headers (e.g., 'X-WP-Nonce') or payload to satisfy the nonce check.\n5. The plugin executes the request without checking for administrative capabilities or ownership, resulting in the unauthorized modification or cancellation of the appointment.","gemini-3-flash-preview","2026-04-18 23:34:17","2026-04-18 23:34:37",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.6.11.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags\u002F1.6.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimply-schedule-appointments.1.6.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags"]