CVE-2026-3045 Overview
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress contains a critical authorization bypass vulnerability that allows unauthenticated attackers to access sensitive administrative settings. This flaw exists in all versions up to and including 1.6.9.29 and stems from improper access control implementation in the plugin's REST API endpoints.
The vulnerability is caused by two compounding security weaknesses: first, a non-user-bound public_nonce is exposed to unauthenticated users through the public /wp-json/ssa/v1/embed-inner REST endpoint; second, the get_item() method in SSA_Settings_Api relies on nonce_permissions_check() for authorization but fails to call remove_unauthorized_settings_for_current_user() to filter restricted fields.
Critical Impact
Unauthenticated attackers can access administrator email addresses, phone numbers, internal access tokens, notification configurations, and developer settings. Exposed appointment tokens also enable attackers to modify or cancel appointments.
Affected Products
- Simply Schedule Appointments WordPress Plugin versions up to and including 1.6.9.29
- WordPress sites using the vulnerable plugin versions
- Any deployment utilizing the /wp-json/ssa/v1/settings/{section} endpoint
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-3045 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-3045
Vulnerability Analysis
This vulnerability represents a classic case of broken access control (CWE-862) in a WordPress plugin's REST API implementation. The flaw allows unauthenticated users to bypass authorization checks and retrieve sensitive administrative settings that should be restricted to authenticated administrators only.
The attack exploits a design weakness where the plugin exposes a public_nonce through its embed endpoint, which can then be used to authenticate requests to the settings API. While the plugin implements nonce verification, it fails to properly filter the response data based on user permissions, resulting in full disclosure of restricted settings.
The impact is significant as exposed data includes administrator contact information (email and phone numbers), internal access tokens that could enable further attacks, notification configurations that may reveal additional infrastructure details, and appointment tokens that can be leveraged to manipulate booking data.
Root Cause
The root cause is an authorization bypass due to missing access control checks in the settings API. Specifically, the get_item() method in SSA_Settings_Api class accepts the public nonce for authentication but does not invoke remove_unauthorized_settings_for_current_user() to filter out admin-only fields before returning the response. This allows any user who can obtain the public nonce (which is readily available through the embed endpoint) to access all settings regardless of their authorization level.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Making a request to the public embed endpoint at /wp-json/ssa/v1/embed-inner to obtain the public_nonce
- Using the obtained nonce to query the settings endpoint at /wp-json/ssa/v1/settings/{section}
- Extracting sensitive information from the response, including admin credentials, access tokens, and configuration data
The vulnerability is exploited via the WordPress REST API endpoints. An attacker first retrieves the public nonce from the embed endpoint, then uses it to query protected settings sections. The settings API accepts the nonce as valid authentication but returns unfiltered data containing administrator-only fields. For detailed technical analysis, see the Wordfence Vulnerability Report and the relevant plugin source code.
Detection Methods for CVE-2026-3045
Indicators of Compromise
- Unusual volume of requests to /wp-json/ssa/v1/embed-inner from unknown IP addresses
- Requests to /wp-json/ssa/v1/settings/{section} endpoints from unauthenticated sources
- Access log entries showing sequential requests to embed and settings endpoints from the same IP
- Unexplained appointment modifications or cancellations without corresponding admin activity
Detection Strategies
- Monitor WordPress REST API access logs for requests to SSA plugin endpoints from unauthenticated users
- Implement rate limiting on /wp-json/ssa/v1/ endpoints to detect and block enumeration attempts
- Set up alerting for requests to settings endpoints that do not include valid WordPress authentication cookies
- Review web server logs for patterns indicating automated scanning of the plugin's REST API
Monitoring Recommendations
- Enable comprehensive logging of WordPress REST API requests, particularly for the SSA plugin namespace
- Configure SIEM rules to correlate embed endpoint access with subsequent settings API queries
- Establish baseline traffic patterns for legitimate plugin usage to identify anomalous behavior
- Monitor for unauthorized changes to appointment data that may indicate token exposure
How to Mitigate CVE-2026-3045
Immediate Actions Required
- Update the Simply Schedule Appointments plugin to version 1.6.9.30 or later immediately
- Review access logs for any suspicious queries to the affected REST API endpoints
- Rotate any access tokens or credentials that may have been exposed through the vulnerability
- Notify administrators whose contact information may have been compromised
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix can be reviewed in the WordPress Plugin Changeset. Organizations should update to the latest version through the WordPress plugin update mechanism or by manually downloading the patched version from the WordPress plugin repository.
Workarounds
- If immediate patching is not possible, temporarily disable the Simply Schedule Appointments plugin until the update can be applied
- Implement a Web Application Firewall (WAF) rule to block unauthenticated requests to /wp-json/ssa/v1/settings/ endpoints
- Restrict access to the WordPress REST API using server-level access controls for trusted IP addresses only
- Consider using a security plugin to add additional authentication requirements to REST API endpoints
# Apache .htaccess rule to block unauthenticated access to vulnerable endpoints
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/ssa/v1/settings/ [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
