Home

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.

PUBLISHED Reserved 2025-10-13 | Published 2026-01-06 | Updated 2026-01-06 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-330 Use of Insufficiently Random Values

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-10-20:Vendor Notified
2026-01-05:Disclosed

Credits

Lucas Montes finder

References

www.wordfence.com/...-6152-4a89-8fe9-982120d1a640?source=cve

plugins.trac.wordpress.org/changeset/3393919/

cve.org (CVE-2025-11723)

nvd.nist.gov (CVE-2025-11723)

Download JSON