CVE-2026-12111

EPSS 0.29%
Veröffentlicht 18.06.2026 06:50:06
Zuletzt bearbeitet 18.06.2026 06:50:06
Quelle b15e7b5b-3da4-40ae-a43c-f7aa60
CVE-Watchlists
Login
Unerledigt
Login

Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.

Mögliche Gegenmaßnahme

Appointment Booking Calendar: Update to version 1.4.02, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 14

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercodepeople

≫

Produkt Appointment Booking Calendar

Default Statusunaffected

Version <= 1.4.01

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Appointment Booking Calendar

Version *-1.4.01

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.2

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
b15e7b5b-3da4-40ae-a43c-f7aa60e62599	4.3	0	0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ecc237-87b0-4c4d-94cc-d3af9c6669c5?source=cve

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L1018

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L1018

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L1019

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L1019

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L945

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L945

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/cpabc_appointments.php#L142

https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/cpabc_appointments.php#L142

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570448%40appointment-booking-calendar&new=3570448%40appointment-booking-calendar&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ecc237-87b0-4c4d-94cc-d3af9c6669c5

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-12111

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-12111

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-12111

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-12111