CVE-2026-39513: WordPress Easy Appointments plugin <= 3.12.21 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated broken access control vulnerability affects the WordPress Easy Appointments plugin at version 3.12.21 and below. The flaw is reachable over the network and requires no credentials, allowing any external attacker to bypass intended access restrictions. Successful exploitation gives an attacker read access to sensitive data exposed by the plugin. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.
HarborGuard Coverage
Detection of CVE-2026-39513 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the Easy Appointments plugin alongside WordPress.
AvailableTriage is available with CVSS v3.1 scoring of 7.5 (HIGH), weighted against each customer environment's configured compliance policy to determine urgency. Routing to the appropriate team inbox within each customer organization is handled automatically based on image ownership and policy rules.
AvailableBecause no fix version has been published, HarborGuard re-checks the Patchstack and WordPress advisory sources on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. Where compliance policy permits, customers with auto-remediation enabled will receive an automatic rebuild, regression run, and PR opened against affected workloads as soon as a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is fully unauthenticated.
- Victim interactionNot required
No user action or social engineering is required; the attacker sends requests directly to the affected endpoint.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup.
Blast Radius
- An attacker reads data exposed through the plugin's access-controlled endpoints without holding any account on the WordPress site.
- Appointment records, customer details, or other structured data managed by Easy Appointments may be extracted depending on the deployment's configuration.
- No data modification or service disruption is indicated by the CVSS vector; impact is limited to confidentiality loss.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-39513 at this time, the platform continuously monitors the Patchstack and WordPress advisory feeds on every ingest cycle. As a compensating control, customers can apply network policy isolation to restrict external access to the WordPress instance, use egress filtering to limit outbound data paths, and consider temporarily disabling the Easy Appointments plugin if the deployment context permits. When an upstream patch is published, a patched-image rebuild at the fix version will become available automatically; for customers with auto-remediation enabled, this will trigger a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
- Easy Appointments / Easy Appointments≤ 3.12.21
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N