Sensitive Information Exposure in Appointment Booking Calendar Plugin for WordPress
CVE-2026-12111

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Appointment Booking Calendar
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-12111?

The Appointment Booking Calendar plugin for WordPress is susceptible to a sensitive information exposure vulnerability that allows authenticated attackers with Contributor-level access or above to exploit insufficient authorization measures. Specifically, the weakness arises from missing per-calendar ownership checks within the cpabc_appointments_calendar_load2() function. By leveraging the cpabc_calendar_load2=1 query parameter, attackers can insert an arbitrary calendar ID and retrieve sensitive customer booking information such as email addresses, names, phone numbers, booking times, and comments from any calendars handled by this plugin.

Affected Version(s)

Appointment Booking Calendar 0 <= 1.4.01

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/appointment-bo...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Chloe Chamberland

PRISM

CVE-2026-12111 Data

JSON