Attack Vectors

CVE-2026-3045 is a High severity vulnerability (CVSS 7.5) affecting the WordPress plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (slug: simply-schedule-appointments) in versions up to and including 1.6.9.29. The issue can be exploited remotely over the internet without a valid WordPress account (CVSS indicates no privileges and no user interaction).

The exposure begins with a publicly accessible REST endpoint: /wp-json/ssa/v1/embed-inner. Unauthenticated visitors can retrieve a public_nonce from this endpoint. Because that nonce is not bound to a specific logged-in user, it can be reused by an attacker as a stepping stone to query settings-related REST API functionality that should be restricted.

This creates a straightforward path for attackers: access the public endpoint, obtain the nonce, and then leverage it against settings retrieval logic that relies on that nonce for authorization checks.

Security Weakness

This vulnerability stems from missing authorization controls that result in unauthenticated sensitive information exposure via the plugin’s Settings REST API behavior.

Two weaknesses combine to create the problem: (1) a non-user-bound public_nonce is exposed to unauthenticated users through the public REST endpoint, and (2) the plugin’s settings retrieval method (get_item() in SSA_Settings_Api) relies on nonce_permissions_check() for authorization—yet that check accepts the exposed public nonce. Additionally, the method does not apply filtering that would remove restricted settings for the current user (i.e., it does not call remove_unauthorized_settings_for_current_user()), increasing the risk that sensitive settings can be returned when they should not be.

From a governance perspective, this is a classic “authorization bypass” pattern: a publicly obtainable token is treated as sufficient permission to access information that should require authentication and role-based access.

Technical or Business Impacts

The direct risk is confidentiality loss (CVSS: C:H). Depending on what settings are exposed in a given deployment, this can reveal information that increases overall organizational risk—such as operational configuration details or other sensitive plugin settings that were expected to be admin-only.

For marketing and revenue teams, even “read-only” exposure can be damaging: leaked configuration details can help attackers tailor follow-on attacks (phishing, social engineering, or targeted probing) and can undermine customer trust if booking-related configuration or related operational details are disclosed.

For executives and compliance teams, this can create audit and reporting pressure. If exposed information falls under internal confidentiality rules, contractual obligations, or privacy-related policies, the organization may need to assess whether an incident occurred, document findings, and potentially notify stakeholders depending on jurisdiction and data classification.

Remediation: Update Appointment Booking Calendar — Simply Schedule Appointments to version 1.6.10.0 or newer (patched). Prioritize this update if the plugin is internet-facing and actively used, and verify after updating that no sensitive settings are accessible from unauthenticated REST requests.

Similar Attacks

While CVE-2026-3045 is specific to this plugin, the underlying pattern—REST/API endpoints exposing sensitive data due to missing authorization checks—has appeared in other high-impact WordPress issues:

WordPress REST API Content Injection (2017)
CVE-2019-9978 (Social Warfare) – WordPress plugin vulnerability with significant security impact
CVE-2021-29447 – WordPress XXE media library issue illustrating how “indirect” exposure paths can lead to serious outcomes

These examples reinforce a key business takeaway: public-facing endpoints and “helper” tokens (like nonces) must be treated as part of your attack surface, and access to settings or administrative data should always be enforced with strong, role-based authorization.