WordPress Plugin Vulnerabilities

Simply Schedule Appointments < 1.6.9.17 - Missing Authorization

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.9.15. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
simply-schedule-appointments
Fixed in 1.6.9.17

References

CVE
CVE-2025-69315
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0eb94259-5f24-49dd-bf4b-0c1dd996d9d4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
benzdeus
Verified
No
WPVDB ID
29d44d92-3ffa-4ef9-b883-efee90c27223

Timeline

Publicly Published
2026-01-20 (about 3 months ago)
Added
2026-01-28 (about 3 months ago)
Last Updated
2026-01-28 (about 3 months ago)

Other

Published
Title
Published
2026-02-25
Title
Bakery Autoresponder Addon <= 1.0.6 - Missing Authorization
Published
2024-05-14
Title
Radio Player < 2.0.74 - Missing Authorization
Published
2025-12-22
Title
Premium Addons for Elementor < 4.11.54 - Unauthenticated Sensitive Information Exposure
Published
2025-01-24
Title
CoBlocks < 3.1.14 - Missing Authorization
Published
2024-11-20
Title
Multiple Themes - Authenticated (Subscriber+) Arbitrary Plugin Activation and Deactivation