Insecure Direct Object Reference in Wappointment Plugin for WordPress
CVE-2026-9188
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-9188?
The Wappointment plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability, allowing unauthenticated attackers to manipulate appointment access. Due to predictable generation of the edit_key authorization token, which relies solely on client data without any secret salt, attackers can forge valid edit_key values. This vulnerability is particularly concerning as it enables unauthorized cancellation and rescheduling of appointments when specific settings are enabled on the site. An attacker can exploit this by observing sequentially assigned IDs and correlating timestamps of appointments. Addressing this susceptibility is crucial to protect user data and appointment integrity.
Affected Version(s)
Appointment Bookings for Zoom GoogleMeet and more β Wappointment 0 <= 2.7.6