Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin for WordPress, affecting all versions through 1.6.9.16. The vulnerability arises because the plugin's admin embed endpoint is accessible without authentication, leaking private settings such as staff and business names, along with unpublicized configuration data. This flaw enables unauthenticated attackers to access confidential business information. In premium versions with active integrations, there is a risk of exposing additional sensitive data, including API keys for external services.

Impact

Exploitation of this vulnerability allows unauthenticated users to access and extract sensitive business configuration data from the affected WordPress plugin. This includes private information such as staff names and business names, as well as unpublicized plugin settings. In premium versions with integrations, there is a potential risk of exposing API keys for external services, further increasing the sensitivity of the information that could be leaked.

Remediation

Users are advised to update the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin to version 1.6.9.17 or a newer patched version.