Sensitive Information Exposure in Easy Appointments Plugin for WordPress
CVE-2026-2262

7.5HIGH

Key Information:

Vendor: WordPress
Status: Easy Appointments
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-2262?

The Easy Appointments plugin for WordPress is vulnerable to a serious issue where sensitive customer information can be exposed. All versions up to and including 3.12.21 are affected due to a flaw in the REST API endpoint /wp-json/wp/v2/eablocks/ea_appointments/. Specifically, this endpoint lacks proper authentication or authorization checks since it is registered with a permission callback that allows unrestricted access. This vulnerability enables malicious actors to potentially extract sensitive data such as customers' full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information, presenting significant risk to user privacy and data security.

Affected Version(s)

Easy Appointments 0 <= 3.12.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/easy-appointme...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Feb 9, 2026

Credit

MD. TAREQ AHAMED JONY

CVE-2026-2262 Data

JSON