CVE-2026-2262
published 2026-04-18CVE-2026-2262: The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.39%
81.9th percentile
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| easyappointments | easy_appointments | <= 3.12.21 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an unauthenticated GET request to /wp-json/wp/v2/eablocks/ea_appointments/ and check for HTTP 200 with application/json content-type and body containing 'email', 'phone', 'ip', and 'name' fields — indicating sensitive appointment data is exposed. ↗
- →Fingerprint vulnerable WordPress installations by searching for the string /wp-content/plugins/easy-appointments/ in HTTP response bodies (FOFA/Shodan pivots). ↗
- →The vulnerable endpoint is registered with 'permission_callback' => '__return_true', meaning no authentication or authorization checks are enforced — any unauthenticated HTTP GET succeeds. ↗
- ·All versions up to and including 3.12.21 of the Easy Appointments WordPress plugin are affected; versions beyond 3.12.21 may have patched the permission callback. ↗
- ·Detection DSL requires all three conditions simultaneously: body contains 'email', 'phone', 'ip', and 'name'; content-type is application/json; and status code is 200 — tune accordingly to reduce false positives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
easyappointments Easy Appointments Plugin up to 3.12.21 on WordPress REST API Endpoint ea_appointments information disclosure (EUVD-2026-23577)
vuldb·2026-04-18·CVSS 7.5
CVE-2026-2262 [HIGH] easyappointments Easy Appointments Plugin up to 3.12.21 on WordPress REST API Endpoint ea_appointments information disclosure (EUVD-2026-23577)
A vulnerability, which was classified as problematic, was found in easyappointments Easy Appointments Plugin up to 3.12.21 on WordPress. Affected by this issue is some unknown functionality of the file /wp-json/wp/v2/eablocks/ea_appointments/ of the component REST API Endpoint. Executing a manipulation can lead to information disclosure.
This vulnerability is registered as CVE-2026-2262. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
GHSA
GHSA-g6w9-q39q-63xh: The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3
ghsa_unreviewed·2026-04-18
CVE-2026-2262 [HIGH] CWE-200 GHSA-g6w9-q39q-63xh: The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
No detection rules found.
Nuclei
Easy Appointments <= 3.12.21 - Information Disclosure
nuclei·CVSS 7.5
CVE-2026-2262 [HIGH] Easy Appointments <= 3.12.21 - Information Disclosure
Easy Appointments <= 3.12.21 - Information Disclosure
Easy Appointments WordPress plugin <= 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/ registered with permission_callback allowing unrestricted access, letting unauthenticated attackers extract sensitive customer appointment data.
Template:
id: CVE-2026-2262
info:
name: Easy Appointments <= 3.12.21 - Information Disclosure
author: 0x_Akoko
severity: high
description: |
Easy Appointments WordPress plugin <= 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/ registered with permission_callback allowing unrestricted access, letting unauthenticated attackers extr
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L141https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L190https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-blocks.php#L190https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-blocks/ea-blocks.phphttps://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6?source=cve
2026-04-18
Published