The Simply Schedule Appointments WordPress plugin contains a high-severity vulnerability that allows unauthorized access to sensitive user and appointment data.

This vulnerability allows an unauthenticated or low-privileged user to access sensitive information that should be restricted. The flaw likely stems from improper capability checks or insecure direct object references within the booking management interface.

The CVSS score of 7.5 highlights a significant risk to data privacy. An exploit could lead to the exposure of PII (Personally Identifiable Information), including customer names, contact details, and appointment schedules, potentially violating data protection regulations like GDPR or CCPA.

Immediate Action: Update the Simply Schedule Appointments plugin to the latest version immediately to apply the necessary access control patches.

Proactive Monitoring: Check WordPress access logs for unauthorized attempts to access plugin-specific AJAX endpoints or administrative pages.

Compensating Controls: Implement a security plugin that monitors for unauthorized data exports and restricts access to sensitive WordPress subdirectories.

Public Exploit Available: false

Protecting customer privacy is paramount. Administrators should prioritize the update of the Simply Schedule Appointments plugin to prevent unauthorized data harvesting and maintain compliance with privacy standards.