WordPress Plugin Exposes Sensitive Customer Data
The National Vulnerability Database (NVD) has reported a critical sensitive information exposure vulnerability, CVE-2026-2262, affecting the Easy Appointments plugin for WordPress. All versions up to and including 3.12.21 are impacted. The NVD highlights that the /wp-json/wp/v2/eablocks/ea_appointments/ REST API endpoint is improperly configured with __return_true for its permission callback, effectively bypassing all authentication and authorization.
This misconfiguration allows any unauthenticated attacker to access a trove of sensitive customer appointment data. According to the NVD, this includes full names, email addresses, phone numbers, IP addresses, detailed appointment descriptions, and even pricing information. The CVSS score of 7.5 (HIGH) underscores the severity of this exposure, with a vector indicating network-exploitable, low complexity, no privileges required, and high confidentiality impact.
For defenders, this is a clear call to action. An attacker’s calculus here is simple: low effort for high reward. They can scrape vast amounts of PII without needing to authenticate. If your organization uses the Easy Appointments plugin, you’re sitting on a data leak waiting to happen. Patch immediately and review your data exposure policies, especially for third-party integrations.
What This Means For You
- If your organization uses the Easy Appointments plugin for WordPress, you are actively leaking customer PII. Check your plugin version NOW. Patch to a fixed version immediately, and assume that sensitive customer data has already been exposed. Consider notifying affected customers and reviewing your data retention policies.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-2262 - Easy Appointments WordPress Plugin Sensitive Data Exposure
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-2262 | Information Disclosure | Easy Appointments plugin for WordPress versions <= 3.12.21 |
| CVE-2026-2262 | Information Disclosure | Vulnerable REST API endpoint: /wp-json/wp/v2/eablocks/ea_appointments/ |
| CVE-2026-2262 | Information Disclosure | Lack of authentication/authorization checks via 'permission_callback' => '__return_true' |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40490 — Open Redirect
CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...
Postiz AI Tool Vulnerability Allows Account Takeover via XSS
CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...
Emissary Workflow Engine Vulnerable to OS Command Injection
CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...