Cyber Resilience

CVE-2026-3045

High

Published: 13 March 2026

Published
13 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 15.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3045 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3045 affects the Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress in all versions up to and including 1.6.9.29. The vulnerability enables unauthorized access to sensitive data due to two compounding weaknesses: a non-user-bound public_nonce exposed to unauthenticated users via the /wp-json/ssa/v1/embed-inner REST endpoint, and the get_item() method in SSA_Settings_Api relying solely on nonce_permissions_check() for authorization without invoking remove_unauthorized_settings_for_current_user() to filter restricted fields. This results in a high-severity issue with a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), mapped to CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this by sending requests to the /wp-json/ssa/v1/settings/{section} endpoint using the public nonce, gaining access to admin-only plugin settings such as administrator email, phone number, internal access tokens, notification configurations, and developer settings. Additionally, exposure of appointment tokens allows attackers to modify or cancel appointments, potentially disrupting operations without requiring any privileges or user interaction.

Mitigation details are available in plugin advisories and code references, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5?source=cve and a WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=#file0) indicating fixes applied after version 1.6.9.21, with relevant code locations in class-bootstrap.php, class-settings-api.php, and class-td-api-model.php. Security practitioners should update to a patched version beyond 1.6.9.29 and review exposed endpoints.

EU & UK References

Vulnerability details

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed…

more

to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authorization flaw (CWE-862) in a public WordPress REST API endpoint (/wp-json/ssa/v1/settings/{section}) that is directly exploitable by unauthenticated remote attackers over the network, matching the definition of T1190 Exploit Public-Facing Application. No other techniques have a direct mapping from the provided description.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862
CVE-2024-52500Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to information and resources, directly countering the missing authorization check and failure to filter restricted fields in the plugin's get_item() method that exposed sensitive admin settings to unauthenticated users.

prevent

AC-6 enforces least privilege, preventing unauthenticated attackers from accessing admin-only plugin settings, internal tokens, and appointment data that enable modification or cancellation of appointments.

prevent

SI-2 requires timely remediation of flaws, directly addressing this CVE by updating the plugin to versions beyond 1.6.9.29 where the authorization and nonce issues are fixed.

References