Authorization Bypass Vulnerability in Easy Appointments Plugin for WordPress
CVE-2026-11992
4.3MEDIUM
What is CVE-2026-11992?
The Easy Appointments plugin for WordPress contains a vulnerability allowing authenticated users with author-level access and above to bypass authorization checks. This loophole enables them to cancel all scheduled appointments by marking them as abandoned. The nonce for authenticating cancellation requests is exposed on the Appointments admin page, which is accessible to users with the edit_posts capability. As a result, even low-privileged users can exploit this flaw to disrupt appointment management on the site.
Affected Version(s)
Easy Appointments 0 <= 3.12.27