CVE-2026-42384: WordPress Simply Schedule Appointments plugin < 1.6.11.2 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.6.11.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sensitive data exposure vulnerability in the Simply Schedule Appointments WordPress plugin by NSquared, affecting all versions before 1.6.11.2. The vulnerability is reachable over the network with no authentication required and no special conditions needed, meaning any unauthenticated user on the internet can trigger it. Successful exploitation allows an attacker to read sensitive data from the affected WordPress installation. A patched-image rebuild at version 1.6.11.2 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection for CVE-2026-42384 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering custom-built WordPress images as well as vendor-supplied ones. Any image carrying the Simply Schedule Appointments plugin at a version below 1.6.11.2 is flagged automatically.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weighs it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Simply Schedule Appointments version 1.6.11.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress service via HTTP/HTTPS to exploit it.
- AuthenticationNot required
No account or session credential of any kind is needed; the exposure is reachable by any unauthenticated request.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the request can be sent directly with no social engineering required.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, memory layout knowledge, or environmental preconditions.
Blast Radius
- An attacker reads sensitive data stored or processed by the Simply Schedule Appointments plugin, which may include appointment details, customer contact information, or configuration values.
- No integrity impact is present; the attacker cannot modify stored records or plugin state through this vulnerability.
- No availability impact is present; the service continues running normally after exploitation.
- Exposed data can be harvested passively at scale with no authentication barrier, making bulk enumeration straightforward.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE ingests from the Patchstack advisory feed within minutes of publication and matches against all images in connected registries and CI pipelines, including custom WordPress-based images. For environments running Simply Schedule Appointments below 1.6.11.2, a patched rebuild at 1.6.11.2 is available. Where auto-remediation is enabled and compliance policy permits, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Customers who have not enabled auto-remediation will see the finding surfaced in their HarborGuard dashboard with fix-version guidance attached.
Fix available
- NSquared / Simply Schedule Appointments< 1.6.11.2 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N