CVE-2026-2262

HIGH NUCLEI

Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

Title source: cna

Description

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Nuclei Templates (1)

Easy Appointments <= 3.12.21 - Information Disclosure

HIGHVERIFIEDby 0x_Akoko

Shodan: http.html:"/wp-content/plugins/easy-appointments/"

FOFA: body="/wp-content/plugins/easy-appointments/"

References (6)

https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6?source=cve

https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L190

https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-blocks.php#L190

https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L141

https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-blocks/ea-blocks.php

https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22

Scores

CVSS v3 7.5

EPSS 0.2911

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

easyappointments/Easy Appointments < 3.12.21

Published Apr 18, 2026

Tracked Since Apr 18, 2026