CVE-2026-12113
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
The Appointment Booking Calendar plugin for WordPress up to version 1.4.02 exposes sensitive information via the cpabc_appointments_filter_list parameter. This allows authenticated attackers with contributor-level access or higher to extract customer personal identifiable information such as names, email addresses, phone numbers, appointment comments, and other booking details.
Risk Assessment
The organization is at risk of leaking customer personal data, which may lead to violations of data protection regulations (e.g., GDPR), loss of customer trust, and potential legal and financial consequences.
Recommendation
Immediately update the Appointment Booking Calendar plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily disable the plugin or restrict access to the cpabc_appointments_filter_list function to trusted administrators only.
Original NVD description (English source)
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.

