Insecure Direct Object Reference in Wappointment Plugin for WordPress
CVE-2026-9188

5.3MEDIUM

What is CVE-2026-9188?

The Wappointment plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability, allowing unauthenticated attackers to manipulate appointment access. Due to predictable generation of the edit_key authorization token, which relies solely on client data without any secret salt, attackers can forge valid edit_key values. This vulnerability is particularly concerning as it enables unauthorized cancellation and rescheduling of appointments when specific settings are enabled on the site. An attacker can exploit this by observing sequentially assigned IDs and correlating timestamps of appointments. Addressing this susceptibility is crucial to protect user data and appointment integrity.

Affected Version(s)

Appointment Bookings for Zoom GoogleMeet and more – Wappointment 0 <= 2.7.6

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

davidfdzmorilla
.