Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-2262 |
| Alert Source | NVD - New Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-17 |
| Vendor | WordPress |
| Product | Easy Appointments (plugin) |
| CVSS Score | 7.5 (high) |
| EPSS Score | 29.1% (percentile: 97%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/ea_appointments/ REST API endpoint. This is due to the endpoint being registered with 'permission_callback' => '__return_true', which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
Required Actions
Apply vendor patches or mitigations as soon as available. Until an update is deployed, consider temporarily disabling the plugin or blocking access to the /wp-json/wp/v2/eablocks/ea_appointments/ endpoint at the WAF layer.
Who Is Affected?
This vulnerability affects Easy Appointments (plugin) by WordPress. Check whether your WordPress site uses Easy Appointments version 3.12.21 or earlier and needs to be updated.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
