WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure

Description

The plugin is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address

Proof of Concept

https://example.com/wp-json/ssa/v1/users

Affects Plugins

simply-schedule-appointments
Fixed in version 1.5.7.7

References

CVE
CVE-2022-2373

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
6aa9aa0d-b447-4584-a07e-b8a0d1b83a31

Timeline

Publicly Published

2022-08-08 (about 1 years ago)

Added

2022-08-08 (about 1 years ago)

Last Updated

2023-04-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin