Easy Appointments < 3.12.22 – Unauthenticated Sensitive Information Exposure via REST API | CVE 2026-2262 | Plugin Vulnerabilities

Description

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Affects Plugins

easy-appointments

Fixed in 3.12.22

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

MD. TAREQ AHAMED JONY (itztrq)

Verified

No

WPVDB ID

fe95cc3c-2f1e-4085-8d79-c1ec5e0c4e86

Timeline

Publicly Published

2026-04-17 (about 26 days ago)

Added

2026-04-17 (about 26 days ago)

Last Updated

2026-04-18 (about 26 days ago)

Other

Published

Title

Published

2025-09-25

Title

Email marketing for WordPress by GetResponse Official < 1.5.4 - Authenticated (Subscriber+) Information Exposure

Published

2025-01-06

Title

Korea for WooCommerce < 1.1.12 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2025-09-11

Title

Rank Math SEO < 1.0.253 - Subscriber+ Information Exposure

Published

2024-11-04

Title

Ultimate Bootstrap Elements for Elementor < 1.4.7 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2023-12-27

Title

Database Cleaner < 0.9.9 - Sensitive Information Exposure via Log File