MidnightBSD

Advisories for easyappointments

CVE-2018-13060 MEDIUM

Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
easyappointments easy!appointments *
easyappointments easy!appointments 1.3.0
CVE-2018-13063 MEDIUM

Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
easyappointments easy!appointments *
easyappointments easy!appointments 1.3.0
CVE-2019-14936 MEDIUM

Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
easyappointments easy!appointments 1.3.2
CVE-2022-0482 MEDIUM

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-359,CWE-863,

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2022-1397 HIGH

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-1269

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-1367

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-2102

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-2103

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-2104

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-2105

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-32295

Missing Authorization vulnerability in Alex Tselegidis Easy!Appointments.This issue affects Easy!Appointments: from n/a through 1.3.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.8 4.0

Products Affected

Vendor Product Version
easyappointments easy!appointments *
CVE-2023-3286

A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 3.1 4.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-3287

A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-3288

A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N 3.1 4.7

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-3289

A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 3.1 4.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-3290

A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N 3.1 1.4

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-3700

Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38047

A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L 3.1 4.7

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38048

A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38049

A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38050

A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L 3.1 5.3

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38051

A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38052

A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38053

A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38054

A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2023-38055

A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H 3.1 5.8

Products Affected

Vendor Product Version
easyappointments easyappointments *
CVE-2024-0698

The Easy!Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyappointments' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
easyappointments easy!appointments *
easyappointments easy\!appointments *
CVE-2024-57601

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.

Products Affected

Vendor Product Version
easyappointments easyappointments 1.5.0
CVE-2025-29448

Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
easyappointments easy!appointments 1.5.1
CVE-2025-31828

Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
easyappointments easy!appointments *
CVE-2025-50383

alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
easyappointments easy!appointments 1.5.1
CVE-2026-23622

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.

Products Affected

Vendor Product Version
easyappointments easy!appointments *