CVE Catalog

CVE-2026-12113

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

The Appointment Booking Calendar plugin for WordPress up to version 1.4.02 exposes sensitive information via the cpabc_appointments_filter_list parameter. This allows authenticated attackers with contributor-level access or higher to extract customer personal identifiable information such as names, email addresses, phone numbers, appointment comments, and other booking details.

Risk Assessment

The organization is at risk of leaking customer personal data, which may lead to violations of data protection regulations (e.g., GDPR), loss of customer trust, and potential legal and financial consequences.

Recommendation

Immediately update the Appointment Booking Calendar plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily disable the plugin or restrict access to the cpabc_appointments_filter_list function to trusted administrators only.

Original NVD description (English source)

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS