CVE-2026-3045
Published: 13 March 2026
Summary
CVE-2026-3045 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3045 affects the Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress in all versions up to and including 1.6.9.29. The vulnerability enables unauthorized access to sensitive data due to two compounding weaknesses: a non-user-bound public_nonce exposed to unauthenticated users via the /wp-json/ssa/v1/embed-inner REST endpoint, and the get_item() method in SSA_Settings_Api relying solely on nonce_permissions_check() for authorization without invoking remove_unauthorized_settings_for_current_user() to filter restricted fields. This results in a high-severity issue with a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), mapped to CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this by sending requests to the /wp-json/ssa/v1/settings/{section} endpoint using the public nonce, gaining access to admin-only plugin settings such as administrator email, phone number, internal access tokens, notification configurations, and developer settings. Additionally, exposure of appointment tokens allows attackers to modify or cancel appointments, potentially disrupting operations without requiring any privileges or user interaction.
Mitigation details are available in plugin advisories and code references, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5?source=cve and a WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=#file0) indicating fixes applied after version 1.6.9.21, with relevant code locations in class-bootstrap.php, class-settings-api.php, and class-td-api-model.php. Security practitioners should update to a patched version beyond 1.6.9.29 and review exposed endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11758
Vulnerability details
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed…
more
to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw (CWE-862) in a public WordPress REST API endpoint (/wp-json/ssa/v1/settings/{section}) that is directly exploitable by unauthenticated remote attackers over the network, matching the definition of T1190 Exploit Public-Facing Application. No other techniques have a direct mapping from the provided description.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to information and resources, directly countering the missing authorization check and failure to filter restricted fields in the plugin's get_item() method that exposed sensitive admin settings to unauthenticated users.
AC-6 enforces least privilege, preventing unauthenticated attackers from accessing admin-only plugin settings, internal tokens, and appointment data that enable modification or cancellation of appointments.
SI-2 requires timely remediation of flaws, directly addressing this CVE by updating the plugin to versions beyond 1.6.9.29 where the authorization and nonce issues are fixed.