Easy Appointments <= 3.12.21 - Information Disclosure

Easy Appointments WordPress plugin = 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/eaappointments/ registered with permissioncallback allowing unrestricted access, letting unauthenticated attackers extract sensitive custom...

CVE-2026-2262

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

WordPress Easy Appointments plugin <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API vulnerability

Unauthenticated Sensitive Information Exposure via REST API vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin Easy Appointments versions = 3.12.21...

EUVD-2026-23577

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

WordPress plugin Easy Appointments 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-2262

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-2262

The Easy Appointments WordPress plugin (up to version 3.12.21) exposes sensitive customer data via the REST endpoint /wp-json/wp/v2/eablocks/ea_appointments/ because permission_callback is set to __return_true. This allows unauthenticated access to full names, email addresses, phone numbers, IP a...

PT-2026-33528

Name of the Vulnerable Software and Affected Versions Easy Appointments plugin for WordPress versions prior to 3.12.22 Description Sensitive information exposure occurs via the '/wp-json/wp/v2/eablocks/ea appointments/' REST API endpoint. The issue arises because the endpoint is registered with t...

WordPress Easy Appointments plugin <= 3.12.21 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Martín Martín in WordPress Plugin Easy Appointments versions = 3.12.21...

CVE-2026-23622

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

CVE-2026-23622

CVE-2026-23622 involves a CSRF protection bypass in Easy!Appointments (versions ≤ 1.5.2) where application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests. As a result, state-changing endpoints that accept GET/$_REQUEST parameters—such as /admins/store, /admins/update, an...

EUVD-2026-2736

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

Easy!Appointments has a security vulnerability.

Easy!Appointments is a web-based appointment and calendar management system developed by Alex Tselegidis. Versions of Easy!Appointments prior to 1.5.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of CSRF protection for only POST requests, which could allow for...

CVE-2024-2844

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajaxcancelappointment function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders...

WordPress Easy Appointments plugin cross-site scripting vulnerability

WordPress Easy Appointments plugin is a free WordPress appointment management plugin, mainly used to create and manage service appointment system, support multi-location, multi-service, multi-staff appointment function. A cross-site scripting vulnerability exists in the WordPress Easy Appointment...

CVE-2025-49398

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.This issue affects Easy Appointments: from n/a through = 3.12.14...