{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69315", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:13.401Z", "datePublished": "2026-01-22T16:52:32.496Z", "dateUpdated": "2026-04-28T20:48:45.320Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simply-schedule-appointments", "product": "Simply Schedule Appointments", "vendor": "NSquared", "versions": [{"changes": [{"at": "1.6.9.17", "status": "unaffected"}], "lessThanOrEqual": "1.6.9.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:26.777Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15.</p>"}], "value": "Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.275Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Simply Schedule Appointments plugin <= 1.6.9.15 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:17:36.908540Z", "id": "CVE-2025-69315", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:48:45.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69315", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:17:36.908540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:17:33.419Z"}}], "cna": {"title": "WordPress Simply Schedule Appointments plugin <= 1.6.9.15 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NSquared", "product": "Simply Schedule Appointments", "versions": [{"status": "affected", "changes": [{"at": "1.6.9.17", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.9.15"}], "packageName": "simply-schedule-appointments", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:26.777Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.275Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69315", "state": "PUBLISHED", "dateUpdated": "2026-04-28T20:48:45.320Z", "dateReserved": "2025-12-31T20:12:13.401Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:32.496Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en NSquared Simply Schedule Appointments simply-schedule-appointments permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta a Simply Schedule Appointments: desde n/a hasta &lt;= 1.6.9.15."}], "id": "CVE-2025-69315", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:27.210", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:07:25.222523+00:00", "value": {"mitigation_remediation": ["Upgrade the Simply Schedule Appointments plugin to version 1.6.9.16 or later, which contains the fix for the missing authorization logic.", "If upgrading is not immediately possible, limit plugin access to users with the Administrator role and review the WordPress role permissions to remove any elevated privileges granted to Editors or Contributors.", "Apply a firewall or security plugin that blocks unauthorized access to plugin URLs and monitor for any suspicious activity on appointment management pages."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "All installations of WordPress that use the NSquared Simply Schedule Appointments plugin with a version of 1.6.9.15 or earlier are affected. The issue applies to all releases from the earliest available version through to 1.6.9.15, with no lower bound specified. Administrators of WordPress sites deploying this plugin should verify their current version and plan for remediation.", "description_and_impact": "The vulnerability involves missing authorization checks in the NSquared Simply Schedule Appointments plugin. This is a broken access control weakness (CWE-862) where access control settings are incorrectly configured, enabling an attacker to exploit the plugin\u2019s security layers and perform actions that should be restricted, such as viewing or modifying appointment data. This broken access control can lead to unauthorized disclosure of sensitive scheduling information and potential tampering of appointment records, undermining both confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, meaning no known public exploits are reported. Based on the description, the likely attack vector is inferred to involve interacting with the WordPress environment, specifically through the plugin\u2019s administrative interface using an authenticated user or a role that grants excessive permissions. If an attacker can reach the plugin\u2019s administrative interface, they could elevate privileges or access sensitive appointment data."}}}}, "created": "2026-01-23T16:27:53.831530+00:00", "updated": "2026-04-28T18:15:37.363206+00:00", "vendors": ["nsquared", "nsquared$PRODUCT$simply_schedule_appointments", "wordpress", "wordpress$PRODUCT$wordpress"]}