Easyappointments: >> Easy!appointments >> 1.3.2 Security Vulnerabilities
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-01-15
Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments allows Cross Site Request Forgery. This issue affects Easy!Appointments: from n/a through 1.4.2.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-04-01
Missing Authorization vulnerability in Alex Tselegidis Easy!Appointments.This issue affects Easy!Appointments: from n/a through 1.3.3.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-04-11
Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash).
CVSS Score
5.3
EPSS Score
0.002
Published
2019-09-11