CVE-2026-39513 7.5 HIGH
Broken access control in the Easy Appointments plugin allows unauthenticated attackers to reach a privileged REST route registered with '__return_true' as its permission_callback, exposing appointment data managed by the site.
| Product | Easy Appointments |
|---|---|
| Affected Versions | ≤ 3.12.21 |
| Fixed Version | 3.12.22 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE | CWE-862 (Missing Authorization) |
| Published | 2026-04-13 |
| Active installs | 10,000+ |
Description
The Easy Appointments plugin for WordPress is vulnerable to Broken Access Control in all versions up to and including 3.12.21. A REST route registered by the plugin's blocks integration uses '__return_true' as its permission_callback, with a comment that read 'Secure this if needed'. The route is reachable by any visitor with no authentication, no capability check and no nonce validation. Unauthenticated attackers can invoke it to read appointment records and the joined custom-field metadata that the site relies on being private.
Impact
An unauthenticated attacker can enumerate and read appointment records containing customer personal data such as names, email addresses, phone numbers and scheduling details from any WordPress site running a vulnerable version of Easy Appointments. Given the plugin's use in healthcare, legal and professional services, the disclosure carries immediate privacy and regulatory consequences.