CVE-2022-2374

The CVE-2022-2374 entry concerns the WordPress plugin Simply Schedule Appointments (pre-1.5.7.7). The vulnerability arises because some plugin settings are not properly sanitised/escaped, enabling Stored Cross-Site Scripting (XSS) by high-privilege users (e.g., admins), even if unfiltered_html is...

CVE-2022-2373 Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address...

CVE-2022-2373

The CVE-2022-2373 entry concerns the WordPress plugin Simply Schedule Appointments (before 1.5.7.7). The issue is missing authorization in a REST endpoint, enabling unauthenticated access to WordPress user details (name and email). Impact is information disclosure; base CVSS 3.1 score is 5.3 (MED...

WordPress plugin Simply Schedule Appointments 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

PT-2022-16242 · WordPress · Simply Schedule Appointments

Name of the Vulnerable Software and Affected Versions: Simply Schedule Appointments WordPress plugin versions prior to 1.5.7.7 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capabilit...

PT-2022-16234 · WordPress · Simply Schedule Appointments

Name of the Vulnerable Software and Affected Versions: Simply Schedule Appointments WordPress plugin versions prior to 1.5.7.7 Description: The issue is related to missing authorization in a REST endpoint, allowing unauthenticated users to retrieve WordPress users' details, such as name and email...

WordPress plugin Simply Schedule Appointments 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

WordPress Simply Schedule Appointments plugin <= 1.5.7.6 - Unauthenticated Email Address Disclosure vulnerability

Unauthenticated Email Address Disclosure vulnerability discovered by Raad Haddad in WordPress Simply Schedule Appointments plugin versions = 1.5.7.6. Solution Update the WordPress Simply Schedule Appointments plugin to the latest available version at least 1.5.7.7...

WordPress Simply Schedule Appointments plugin <= 1.5.7.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability was discovered by Raad Haddad in the WordPress Simply Schedule Appointments plugin versions = 1.5.7.6. Solution Update the WordPress Simply Schedule Appointments plugin to the latest available version at least 1.5.7.7...

Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Navigate to style settings:...

Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Navigate to style settings:...

Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure

The plugin is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address https://example.com/wp-json/ssa/v1/users...

Diary Management System Cross-Site Scripting Vulnerability

Diary Management System is a multi-user diary management system that enables staff in an organization to set/update/view meetings and appointments. The system will run through a central server, but clients will be able to run offline. A cross-site scripting vulnerability exists in Diary Managemen...

Privilege escalation in easyappointments

The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...

GHSA-7F62-4887-CFV5 Privilege escalation in easyappointments

The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...

Easy!Appointments 安全漏洞

Easy!Appointments is a web-based appointment and schedule management system. A security vulnerability exists in versions prior to Easy!Appointments 1.5.0. An attacker exploited the vulnerability to cause an API privilege escalation...

Easy Appointments 1.4.2 - Information Disclosure Exploit

Exploit Title: Easy Appointments 1.4.2 - Information Disclosure Exploit author: noraj Alexandre ZANNI for ACCEIS https://www.acceis.fr Author website: https://pwn.by/noraj/ Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 Vendor Homepage: https://easyappointments.org/ Software Link...

Exploit for Exposure of Private Personal Information to an Unauthorized Actor in Easyappointments

Easy!Appointments PII disclosure Easy!Appointments --...

Easy!Appointments < 1.4.3 - Information Disclosure Exploit

!/usr/bin/env ruby Exploit Title: Easy!Appointments 1.4.3 - Unauthenticated PII events disclosure Exploit author: noraj Alexandre ZANNI for ACCEIS https://www.acceis.fr Author website: https://pwn.by/noraj/ Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 Vendor Homepage:...

Easy!Appointments Information Disclosure

!/usr/bin/env ruby Exploit Title: Easy!Appointments 1.4.3 - Unauthenticated PII events disclosure Exploit author: noraj Alexandre ZANNI for ACCEIS https://www.acceis.fr Author website: https://pwn.by/noraj/ Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 Date: 2022-04-11 Vendor...