Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12111

CVE-2026-12111: WordPress Booking Calendar Info Disclosure

CVE-2026-12111 is an information disclosure vulnerability in the Appointment Booking Calendar plugin for WordPress that exposes sensitive customer data. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-12111 Overview

The Appointment Booking Calendar plugin for WordPress contains a sensitive information exposure vulnerability affecting all versions up to and including 1.4.01. The flaw resides in the cpabc_appointments_calendar_load2() function, which is reachable through the cpabc_calendar_load2=1 query parameter in wp-admin. The function only validates is_admin() and current_user_can('edit_posts'), a capability granted to Contributor-level users. Authenticated attackers can supply arbitrary calendar IDs and retrieve customer booking records from any calendar managed by the plugin [CWE-200].

Critical Impact

Authenticated Contributor-level attackers can extract customer booking data including email addresses, names, phone numbers, booking times, and comments from any calendar.

Affected Products

  • Appointment Booking Calendar plugin for WordPress
  • All versions up to and including 1.4.01
  • Sites permitting Contributor-level registration are at elevated risk

Discovery Timeline

  • 2026-06-18 - CVE-2026-12111 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12111

Vulnerability Analysis

The vulnerability stems from insufficient authorization checks in the cpabc_appointments_calendar_load2() function. The plugin exposes the function via the cpabc_calendar_load2=1 query parameter within the WordPress admin context. Access control relies on is_admin() and current_user_can('edit_posts'), both of which are satisfied by any Contributor-level user.

The function fails to enforce per-calendar ownership validation. An authenticated attacker supplies an arbitrary value to the id parameter, and the plugin returns booking data for the matching calendar regardless of which user owns it. Returned fields include customer email addresses, names, phone numbers, booking times, and free-text comments.

Root Cause

The root cause is broken access control combined with a missing object-level authorization check. The edit_posts capability is too permissive for handling appointment data, and the plugin does not verify that the requesting user owns the calendar identified by id. This produces an Insecure Direct Object Reference where the calendar identifier serves as the sole gating value.

Attack Vector

Exploitation requires an authenticated session with Contributor privileges or higher. The attacker sends a request to the WordPress admin endpoint with cpabc_calendar_load2=1 and an arbitrary id parameter. The plugin returns booking data for the targeted calendar in the HTTP response. The technical mechanism is documented in the Wordfence Vulnerability Analysis and the WordPress Code Reference.

Detection Methods for CVE-2026-12111

Indicators of Compromise

  • HTTP requests to wp-admin containing the cpabc_calendar_load2=1 query parameter from low-privilege user sessions
  • Repeated requests with incrementing or varying values of the id parameter targeting the appointment endpoint
  • Anomalous data egress patterns from Contributor-level accounts accessing administrative endpoints

Detection Strategies

  • Inspect WordPress access logs for cpabc_calendar_load2 parameter usage tied to non-Administrator user IDs
  • Correlate authentication events with admin-area requests to identify Contributor accounts probing booking endpoints
  • Monitor for sequential enumeration of calendar id values, which indicates automated scraping attempts

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized analytics platform for query-parameter inspection
  • Alert on Contributor-level accounts issuing high request volumes against wp-admin endpoints
  • Audit registered users to identify dormant or unexpected Contributor-level accounts that could be abused

How to Mitigate CVE-2026-12111

Immediate Actions Required

  • Update the Appointment Booking Calendar plugin to a version newer than 1.4.01 once the vendor publishes a fix
  • Audit user roles and remove unnecessary Contributor or higher accounts
  • Review booking calendars for evidence of unauthorized access and notify affected customers if exposure is confirmed

Patch Information

Review the WordPress Changeset Report for the upstream fix details. Apply the latest plugin release through the WordPress admin dashboard or via WP-CLI. Verify the patched version enforces per-calendar ownership checks before returning booking data.

Workarounds

  • Disable the Appointment Booking Calendar plugin until a patched version is installed
  • Restrict new user registrations or downgrade existing Contributor-level accounts to Subscriber where feasible
  • Place the wp-admin directory behind additional access controls such as IP allow-listing or HTTP authentication

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne