CVE-2026-2262

HIGH NUCLEI

Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-2262 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.

Nuclei Templates (1)

Easy Appointments <= 3.12.21 - Information Disclosure
HIGHVERIFIEDby 0x_Akoko
Shodan: http.html:"/wp-content/plugins/easy-appointments/"
FOFA: body="/wp-content/plugins/easy-appointments/"

References (6)

Core 6

Scores

CVSS v3 7.5
EPSS 0.4999
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (1)
easyappointments/Easy Appointments < 3.12.21
Published Apr 18, 2026
Tracked Since Apr 18, 2026