Skip to main content
CVE Vulnerability Database

CVE-2026-9188: Wappointment Plugin Auth Bypass Vulnerability

CVE-2026-9188 is an authentication bypass flaw in the Wappointment plugin for WordPress that allows attackers to cancel or reschedule appointments. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9188 Overview

CVE-2026-9188 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the Appointment Bookings for Zoom, GoogleMeet and more – Wappointment plugin for WordPress. All versions up to and including 2.7.6 are affected. The flaw resides in the appointmentkey parameter processed by the unauthenticated cancellation and rescheduling REST endpoints. The edit_key authorization token is generated as a predictable, unsalted MD5 hash of client_id, start_at, and staff_id. Unauthenticated attackers can reconstruct valid keys and cancel or reschedule appointments belonging to other users.

Critical Impact

Unauthenticated attackers can hijack the appointment lifecycle of other users on any Wappointment-enabled WordPress site where allow_cancellation or allow_rescheduling is enabled.

Affected Products

  • Wappointment plugin for WordPress — all versions up to and including 2.7.6
  • WordPress sites with allow_cancellation enabled
  • WordPress sites with allow_rescheduling enabled

Discovery Timeline

  • 2026-07-02 - CVE-2026-9188 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-9188

Vulnerability Analysis

The vulnerability originates in how Wappointment authorizes appointment modifications. The plugin's tryCancel() function accepts the appointmentkey parameter and compares it against a stored edit_key. That edit_key is the sole authorization token consumed by cancellation and rescheduling flows, and no additional ownership or identity verification is performed.

The edit_key is derived from three low-entropy inputs concatenated and passed through MD5: client_id, start_at, and staff_id. All three inputs are either directly observable or trivially enumerable. client_id is a sequential integer assigned when a customer books an appointment. start_at is a publicly visible appointment timestamp. staff_id is a small enumerable integer identifying a staff member.

Because the hash is unsalted and contains no random component, any attacker able to reconstruct these three values can regenerate the exact edit_key for a victim's appointment. The unauthenticated REST endpoints then accept the reconstructed key as sufficient proof of authorization.

Root Cause

The root cause is a broken authorization design pattern. The plugin relies on an unsalted MD5 of predictable, low-entropy fields as a capability token, and the REST endpoint enforces no additional ownership checks. This maps directly to CWE-639 (Authorization Bypass Through User-Controlled Key).

Attack Vector

An attacker books a legitimate appointment on the target site to observe the current sequential client_id counter. Public schedule pages and confirmation flows expose appointment start_at timestamps. Staff identifiers are enumerable across a small integer range. With these inputs, the attacker computes the MD5 hash locally, submits it to the cancellation or rescheduling REST endpoint via the appointmentkey parameter, and the server processes the request without further authorization checks.

Exploitation requires that allow_cancellation or allow_rescheduling be enabled, which is a common configuration for active booking deployments. See the Wordfence Vulnerability Report and the Wappointment Appointment Service source for technical details.

Detection Methods for CVE-2026-9188

Indicators of Compromise

  • Unauthenticated POST or GET requests to Wappointment REST endpoints containing the appointmentkey parameter from unfamiliar IP addresses.
  • Bursts of appointment cancellations or reschedules originating from a small number of source IPs within a short window.
  • Multiple booking creations from the same client followed by lookup activity that iterates through staff identifiers.
  • Customer complaints about appointments being cancelled or moved without user action.

Detection Strategies

  • Correlate Wappointment REST endpoint activity with the appointments database to flag cancellations that lack a matching authenticated session for the appointment owner.
  • Alert on repeated 200-response cancellation calls from the same source IP against distinct appointmentkey values.
  • Track anomalous ratios of cancellations to bookings per hour compared to historical baselines.

Monitoring Recommendations

  • Enable verbose WordPress and web server access logging for /wp-json/wappointment/ routes.
  • Forward WordPress and web server logs to a centralized analytics platform for querying and long-term retention.
  • Monitor plugin file integrity to confirm the site is running a patched build.

How to Mitigate CVE-2026-9188

Immediate Actions Required

  • Update the Wappointment plugin to a version later than 2.7.6 once a patched release is available from the vendor.
  • Disable allow_cancellation and allow_rescheduling in the Wappointment settings until a fix is deployed.
  • Audit recent appointment cancellations and reschedules for unauthorized activity and notify affected customers.
  • Restrict access to Wappointment REST endpoints at the web application firewall (WAF) tier where feasible.

Patch Information

At the time of publication, all versions up to and including 2.7.6 are affected. Review the Wappointment changeset in the WordPress plugin repository and monitor the plugin listing for a security release that replaces the predictable edit_key derivation with a salted, cryptographically random token.

Workarounds

  • Disable the allow_cancellation setting to prevent unauthenticated cancellations through the REST endpoint.
  • Disable the allow_rescheduling setting to prevent unauthenticated rescheduling through the REST endpoint.
  • Deploy WAF rules that block unauthenticated requests to Wappointment REST endpoints from sources outside expected geographies or user agents.
  • Reduce publicly visible scheduling metadata such as staff identifiers and precise appointment timestamps where the booking workflow allows.
bash
# Example: block Wappointment cancellation and rescheduling endpoints at the reverse proxy
location ~ ^/wp-json/wappointment/.*/(cancel|reschedule) {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.