All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-12113
MEDIUMpublished 2026-07-01 05:16 UTC · 3 days ago · modified 2026-07-01 13:56 UTC
4.3
CVSS / 10
// description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.
// weaknesses (CWE)
- CWE-862
// references (8)
- https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/cpabc_appointments.php#L187
- https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_on.inc.php#L255
- https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_on.inc.php#L328
- https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/cpabc_appointments.php#L187