CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

Denial Of Service (DoS)

alextselegidis/easyappointments is vulnerable to Denial Of Service DoS. The vulnerability is due to booking logic flaws due to insufficient validation of appointment duration, allowing unauthenticated attackers to block future booking availability by creating excessively long appointments...

PT-2025-20076

Name of the Vulnerable Software and Affected Versions Easy!Appointments version 1.5.1 Description A business logic flaw in Easy!Appointments allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking...

Cross-Site Scripting (XSS)

alextselegidis/easyappointments is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper handling of the legalsettings parameter, which allows a remote attacker to execute arbitrary code...

GHSA-3WF7-83Q3-948C Remote code execution in alextselegidis/easyappointments

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legalsettings parameter...

Remote code execution in alextselegidis/easyappointments

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legalsettings parameter...

Easy!Appointments Improper Restriction of Excessive Authentication Attempts

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file...

CVE-2024-57602

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file...

CVE-2022-1397

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover...

Easy!Appointments Security Vulnerability

Easy!Appointments is a web-based appointment and schedule management system. A security vulnerability exists in Easy!Appointments that stems from an insecure authorization issue in the /customers interface. A low-privilege attacker can exploit the vulnerability to create low-privilege users...

WordPress Plugin Easy!Appointments Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2023-2102 Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments

Cross-site Scripting XSS - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0...

CVE-2023-2103 Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments

Cross-site Scripting XSS - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0...