CVE-2026-12113 Overview
CVE-2026-12113 is a sensitive information exposure vulnerability in the Appointment Booking Calendar plugin for WordPress. The flaw affects all versions up to and including 1.4.02 and stems from a missing authorization check on the cpabc_appointments_filter_list functionality. Authenticated users with contributor-level access or higher can extract customer personally identifiable information (PII) from stored appointment records. Exposed data includes customer names, email addresses, phone numbers, and appointment comments. The issue is tracked under CWE-862: Missing Authorization.
Critical Impact
Authenticated contributors on affected WordPress sites can harvest booking PII, including names, emails, phone numbers, and appointment comments, resulting in privacy violations and potential regulatory exposure under GDPR and similar frameworks.
Affected Products
- Appointment Booking Calendar plugin for WordPress, versions up to and including 1.4.02
- WordPress sites with contributor-level users and the affected plugin installed
- Any WordPress deployment using the cpabc_appointments_filter_list code path prior to the patched release
Discovery Timeline
- 2026-07-01 - CVE-2026-12113 published to the National Vulnerability Database
- 2026-07-01 - Last updated in the NVD database
Technical Details for CVE-2026-12113
Vulnerability Analysis
The vulnerability resides in the cpabc_appointments_filter_list handler within the Appointment Booking Calendar plugin. The plugin exposes an appointment listing function that returns stored booking records but fails to enforce a capability check appropriate for the sensitivity of the data. Any authenticated user at contributor level or above can invoke the code path and receive customer records that should be limited to administrators or booking managers.
The returned dataset includes personally identifiable information collected from public booking submissions. Attackers who register a low-privilege account, or who compromise an existing contributor account, can enumerate the booking database without triggering administrative controls. Because contributor accounts are commonly granted to guest writers and external collaborators, the trust boundary for this data is effectively broken.
Relevant source lines are documented in the WordPress Plugin Code Review at cpabc_appointments.php#L187 and the supporting handler at cpabc_apps_on.inc.php#L255.
Root Cause
The root cause is missing authorization ([CWE-862]) on the cpabc_appointments_filter_list action. The handler validates that the caller is authenticated but does not verify that the caller holds a management capability such as manage_options or a plugin-specific role. WordPress capability checks are the standard mechanism for gating administrative actions, and their absence here allows contributor-tier accounts to reach data that should be restricted.
Attack Vector
Exploitation requires network access to the WordPress site and a valid contributor-level (or higher) account. The attacker authenticates to the site, then issues a request to the vulnerable handler to retrieve booking records. No user interaction from an administrator is required. The vendor-fixed logic can be reviewed in the WordPress changeset for the Appointment Booking Calendar plugin and the Wordfence Vulnerability Report.
No public proof-of-concept or exploit code has been observed, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-12113
Indicators of Compromise
- Unexpected authenticated requests to admin-ajax.php or plugin endpoints invoking the cpabc_appointments_filter_list action from contributor-tier accounts.
- Contributor or author accounts issuing repeated listing queries against the appointment plugin outside of normal editorial workflows.
- Bulk outbound transfer of records containing customer email addresses or phone numbers following contributor authentication.
Detection Strategies
- Enable WordPress activity logging to capture AJAX requests, HTTP method, action parameter, and originating user role for each call to plugin endpoints.
- Alert on any non-administrator user invoking the cpabc_appointments_filter_list action, which under normal use should be limited to booking managers.
- Correlate new low-privilege account creation events with subsequent access to appointment data endpoints.
Monitoring Recommendations
- Monitor web server access logs for POST requests to admin-ajax.php with action=cpabc_appointments_filter_list originating from accounts without administrative capabilities.
- Track response sizes on booking endpoints to detect bulk data extraction patterns.
- Review the WordPress user list on a recurring basis for unexpected contributor or author accounts, especially on sites that do not accept external registrations.
How to Mitigate CVE-2026-12113
Immediate Actions Required
- Update the Appointment Booking Calendar plugin to a version later than 1.4.02 that includes the authorization fix referenced in the vendor changeset.
- Audit all WordPress accounts and remove or downgrade unnecessary contributor, author, and editor-level users.
- Disable open user registration where it is not required, and require administrator approval for new accounts on sites that must accept registrations.
- Notify affected customers if log review indicates unauthorized access to booking records, in line with applicable data protection obligations.
Patch Information
The vendor addressed the issue in a subsequent release of the Appointment Booking Calendar plugin. The fix is documented in the WordPress plugin changeset 3581633 and cross-referenced by the Wordfence Vulnerability Report. Administrators should apply the update through the WordPress plugin manager and verify the installed version is above 1.4.02.
Workarounds
- If immediate patching is not possible, deactivate the Appointment Booking Calendar plugin until the update can be applied.
- Restrict access to wp-admin and admin-ajax.php using a web application firewall rule that blocks the cpabc_appointments_filter_list action for non-administrator sessions.
- Temporarily remove contributor and author roles from accounts that do not require them until the plugin is updated.
# Example WP-CLI commands to check plugin version and downgrade user roles
wp plugin get appointment-booking-calendar --field=version
wp user list --role=contributor --fields=ID,user_login,user_email
wp plugin deactivate appointment-booking-calendar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

