The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication.
The Simply Schedule Appointments WordPress plugin fails to properly authorize users on bulk appointment REST API endpoints, allowing unauthenticated attackers to modify appointment records and expose customer PII. The vulnerability exploits a static public nonce that any website visitor can obtain from page source code.
إضافة WordPress للحجز عبر الإنترنت تحتوي على ثغرة في التفويض تسمح للمهاجمين غير المصرح لهم بتعديل سجلات المواعيد وتعريض بيانات العملاء الشخصية. يمكن للزوار الحصول على رمز nonce ثابت من كود HTML للصفحة واستخدامه للوصول إلى أي موعد في النظام دون المصادقة.
The Simply Schedule Appointments WordPress plugin fails to properly authorize users on bulk appointment REST API endpoints, allowing unauthenticated attackers to modify appointment records and expose customer PII. The vulnerability exploits a static public nonce that any website visitor can obtain from page source code.
Update the Simply Schedule Appointments plugin to version 1.6.11.9 or later immediately. Implement proper REST API authentication checks and use dynamic, user-dependent nonces instead of static public values. Restrict bulk appointment endpoints to authenticated and authorized users only.
قم بتحديث إضافة Simply Schedule Appointments إلى الإصدار 1.6.11.9 أو أحدث فوراً. طبق فحوصات المصادقة الصحيحة لواجهة برمجة التطبيقات وستخدم قيم nonce ديناميكية تعتمد على المستخدم بدلاً من القيم الثابتة العامة. قيد نقاط نهاية المواعيد الجماعية للمستخدمين المصرح لهم فقط.