VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 8 known issues Latest disclosed Apr 17, 2026

Easy Appointments Vulnerabilities

Review known vulnerability records for the WordPress plugin Easy Appointments (`easy-appointments`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2262, CVE-2025-49398 and CVE-2024-2844, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
8
High or Critical
1
Patch Coverage
100%
Last Updated
Apr 17, 2026
Priority CVE Quick Links

Fast paths into Easy Appointments CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
8
CVE-2026-2262 High 3.12.22
CVE-2026-2262 Easy Appointments Sensitive Information Exposure

Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

CVE-2025-49398 Medium 3.12.14.1
CVE-2025-49398 Easy Appointments Vulnerability

Easy Appointments <= 3.12.14 - Unauthenticated Arbitrary Shortcode Execution

CVE-2024-2842 Medium 3.11.19
CVE-2024-2842 Easy Appointments Stored Cross-Site Scripting

Easy Appointments <= 3.11.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2022-4668 Medium 3.11.0
CVE-2022-4668 Easy Appointments Stored Cross-Site Scripting

Easy Appointments <= 3.10.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE-2022-36424 Medium 3.11.10
CVE-2022-36424 Easy Appointments Cross-Site Scripting

Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions

CVE-2017-15812 Medium 1.12.0
CVE-2017-15812 Easy Appointments Cross-Site Scripting

Easy Appointments < 1.12.0 - Cross-Site Scripting

CVE-2023-30748 Medium 3.11.1
CVE-2023-30748 Easy Appointments Stored Cross-Site Scripting

Easy Appointments <= 3.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2024-2844 Medium 3.11.19
CVE-2024-2844 Easy Appointments Vulnerability

Easy Appointments <= 3.11.18 - Insufficient Authorization

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Easy Appointments so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
8 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-2262, CVE-2025-49398 and CVE-2024-2844
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Easy Appointments

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-2262
CVE-2026-2262: Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback'...

Published
Apr 17, 2026
Patched Release
3.12.22
Affected Versions
Versions up to 3.12.21
Next Step
Update to 3.12.22 or newer if supported.
Open CVE-2026-2262 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49398
CVE-2025-49398: Easy Appointments <= 3.12.14 - Unauthenticated Arbitrary Shortcode Execution

The The Easy Appointments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.12.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This m...

Published
Sep 09, 2025
Patched Release
3.12.14.1
Affected Versions
Versions up to 3.12.14
Next Step
Update to 3.12.14.1 or newer if supported.
Open CVE-2025-49398 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2844
CVE-2024-2844: Easy Appointments <= 3.11.18 - Insufficient Authorization

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cance...

Published
Mar 28, 2024
Patched Release
3.11.19
Affected Versions
Versions up to 3.11.18
Next Step
Update to 3.11.19 or newer if supported.
Open CVE-2024-2844 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2842
CVE-2024-2842: Easy Appointments <= 3.11.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

Published
Mar 28, 2024
Patched Release
3.11.19
Affected Versions
Versions up to 3.11.18
Next Step
Update to 3.11.19 or newer if supported.
Open CVE-2024-2842 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-36424
CVE-2022-36424: Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions

The Easy Appointments plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.11.9. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to modify plugin...

Published
May 05, 2023
Patched Release
3.11.10
Affected Versions
Versions up to 3.11.9
Next Step
Update to 3.11.10 or newer if supported.
Open CVE-2022-36424 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-30748
CVE-2023-30748: Easy Appointments <= 3.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers , with administrator-level access and ab...

Published
Apr 14, 2023
Patched Release
3.11.1
Affected Versions
Versions up to 3.11.0
Next Step
Update to 3.11.1 or newer if supported.
Open CVE-2023-30748 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-4668
CVE-2022-4668: Easy Appointments <= 3.10.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Easy Appointment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentic...

Published
Dec 27, 2022
Patched Release
3.11.0
Affected Versions
Versions up to 3.10.7
Next Step
Update to 3.11.0 or newer if supported.
Open CVE-2022-4668 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2017-15812
CVE-2017-15812: Easy Appointments < 1.12.0 - Cross-Site Scripting

The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings value in the admin panel.

Published
Oct 16, 2017
Patched Release
1.12.0
Affected Versions
Versions before 1.12.0
Next Step
Update to 1.12.0 or newer if supported.
Open CVE-2017-15812 Report Open CVE Reference