cbcvebase.
CVE-2026-2262
published 2026-04-18

CVE-2026-2262: The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.39%
81.9th percentile
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Affected

1 ranges
VendorProductVersion rangeFixed in
easyappointmentseasy_appointments<= 3.12.21

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wp/v2/eablocks/ea_appointments/
path/wp-content/plugins/easy-appointments/
  • Send an unauthenticated GET request to /wp-json/wp/v2/eablocks/ea_appointments/ and check for HTTP 200 with application/json content-type and body containing 'email', 'phone', 'ip', and 'name' fields — indicating sensitive appointment data is exposed.
  • Fingerprint vulnerable WordPress installations by searching for the string /wp-content/plugins/easy-appointments/ in HTTP response bodies (FOFA/Shodan pivots).
  • The vulnerable endpoint is registered with 'permission_callback' => '__return_true', meaning no authentication or authorization checks are enforced — any unauthenticated HTTP GET succeeds.
  • ·All versions up to and including 3.12.21 of the Easy Appointments WordPress plugin are affected; versions beyond 3.12.21 may have patched the permission callback.
  • ·Detection DSL requires all three conditions simultaneously: body contains 'email', 'phone', 'ip', and 'name'; content-type is application/json; and status code is 200 — tune accordingly to reduce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.