Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Easy Appointments Plugin Leaks Customer Data on WordPress Sites
CVE-2026-2262
Summary
The Easy Appointments plugin for WordPress exposes sensitive customer information on all sites using versions up to 3.12.21. This means attackers can access names, emails, phone numbers, and other details without needing a password. Update the plugin to the latest version to fix this issue and protect your customers' data.
Original title
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API ...
Original description
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
nvd CVSS3.1
7.5
Vulnerability type
CWE-200
Information Exposure
- https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blo...
- https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blo...
- https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-...
- https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-...
- https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1...
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026