CVE-2026-4807 Overview
CVE-2026-4807 is a Missing Authorization vulnerability [CWE-862] affecting the Appointment Booking Calendar plugin (Simply Schedule Appointments) for WordPress in versions up to and including 1.6.10.6. The flaw resides in the nonce_permissions_check() method, which accepts a site-wide reusable public_nonce exposed through the /wp-json/ssa/v1/embed-inner REST endpoint. Unauthenticated attackers can retrieve this nonce and use it to read or delete arbitrary appointments through the /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk endpoints. Successful exploitation leads to disclosure of booking data, unauthorized modification, and loss of appointment records.
Critical Impact
Unauthenticated attackers can view, modify, or delete arbitrary appointments stored by the plugin, causing service disruption and exposure of sensitive customer booking data.
Affected Products
- Simply Schedule Appointments (Appointment Booking Calendar) plugin for WordPress
- All versions up to and including 1.6.10.6
- Sites exposing the /wp-json/ssa/v1/ REST namespace to unauthenticated users
Discovery Timeline
- 2026-05-07 - CVE-2026-4807 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-4807
Vulnerability Analysis
The plugin registers REST routes under the ssa/v1 namespace and protects appointment management operations with a custom nonce_permissions_check() method. The check inspects two request headers: X-WP-Nonce and X-PUBLIC-Nonce. When the standard X-WP-Nonce validation fails, control falls through to a secondary branch that validates X-PUBLIC-Nonce instead of rejecting the request. The fallback path treats successful validation of the public nonce as sufficient authorization for sensitive operations, including appointment deletion.
The public_nonce itself is not user-bound, session-bound, or appointment-bound. It is a static, site-wide token rendered into the booking iframe and returned by the unauthenticated /wp-json/ssa/v1/embed-inner endpoint. Any visitor can fetch the nonce and replay it against privileged routes.
Root Cause
The root cause is flawed authorization logic combined with insecure nonce design. Nonces in WordPress are intended as anti-CSRF tokens, not authorization grants. Reusing a publicly readable nonce as the sole gate for destructive actions collapses the authorization model. Because the permission callback returns true whenever either header validates, an attacker only needs to supply any value for X-WP-Nonce and the leaked public_nonce for X-PUBLIC-Nonce.
Attack Vector
The attack is fully remote and unauthenticated over HTTP(S). An attacker first issues a GET request to /wp-json/ssa/v1/embed-inner to recover the public_nonce value. The attacker then issues a DELETE request to /wp-json/ssa/v1/appointments/{id}/delete or a bulk request to /wp-json/ssa/v1/appointments/bulk with X-WP-Nonce: anything and X-PUBLIC-Nonce: <leaked_nonce>. The same primitive supports reading appointment objects, exposing fields such as public_edit_url that can be used to tamper with bookings. See the Wordfence Vulnerability Report and the relevant class-td-api-model.php source for the vulnerable logic.
Detection Methods for CVE-2026-4807
Indicators of Compromise
- Unauthenticated GET requests to /wp-json/ssa/v1/embed-inner from non-browser user agents or scripted clients.
- HTTP requests to /wp-json/ssa/v1/appointments/*/delete or /wp-json/ssa/v1/appointments/bulk carrying both X-WP-Nonce and X-PUBLIC-Nonce headers.
- Sudden disappearance of appointment records or unexpected entries in the plugin's audit and database tables.
Detection Strategies
- Inspect web server and WordPress access logs for paired requests to embed-inner followed by appointment deletion or bulk endpoints from the same source IP.
- Alert on REST API calls to ssa/v1 deletion routes that originate from unauthenticated sessions (no wordpress_logged_in_* cookie).
- Compare nightly database snapshots of the appointments table to baseline counts and flag unexplained record removal.
Monitoring Recommendations
- Enable WordPress audit logging for REST API activity and forward logs to a central SIEM for retention and correlation.
- Apply Web Application Firewall (WAF) rules that rate-limit or block repeated calls to plugin REST endpoints from a single IP.
- Track HTTP 200 responses on appointment delete routes and alert when volumes deviate from historical baselines.
How to Mitigate CVE-2026-4807
Immediate Actions Required
- Update the Simply Schedule Appointments plugin to a version newer than 1.6.10.6 that contains the vendor patch.
- If patching is not immediately possible, deactivate the plugin until the fixed release is deployed.
- Audit the appointments database for unauthorized modifications or deletions and restore from backup where needed.
- Rotate any sensitive data referenced by public_edit_url links that may have been exposed.
Patch Information
The vendor addressed the flaw in the WordPress Changeset 3511993, which corrects the permission callback logic. Site administrators should apply the update through the WordPress plugin updater or by deploying the latest plugin package from the WordPress.org repository.
Workarounds
- Restrict access to the /wp-json/ssa/v1/ REST namespace at the WAF or reverse proxy layer to authenticated administrative IP ranges.
- Block requests that include the X-PUBLIC-Nonce header at the edge until the plugin is updated.
- Disable the public booking iframe feature if it is not in use to prevent exposure of the public_nonce value.
# Example nginx rule to block exploitation of the appointment delete endpoints
location ~* ^/wp-json/ssa/v1/appointments/.*/delete {
if ($http_x_public_nonce) { return 403; }
}
location ~* ^/wp-json/ssa/v1/appointments/bulk {
if ($http_x_public_nonce) { return 403; }
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
