Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
9.1CVSS
9AI Score
0.244EPSS
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.
8.8CVSS
8.7AI Score
0.001EPSS
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
9.8CVSS
6.7AI Score
0.003EPSS
3.8CVSS
5.2AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
4.8CVSS
5.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
5.4CVSS
4.5AI Score
0.001EPSS
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
5.4CVSS
5.4AI Score
0.001EPSS
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
8.8CVSS
6.1AI Score
0.002EPSS
A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
7.7CVSS
7.1AI Score
0.0005EPSS
A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
9.9CVSS
9.1AI Score
0.001EPSS
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
8.8CVSS
8.3AI Score
0.001EPSS
A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.
7.7CVSS
7.2AI Score
0.0005EPSS
A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.
5CVSS
4.9AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
6.3CVSS
4.5AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
8.5CVSS
8AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.9AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.9AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
9.1CVSS
8.7AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.9AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.7AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.9AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.
9.9CVSS
8.9AI Score
0.001EPSS
A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
9.6CVSS
8.8AI Score
0.001EPSS
The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users order...
4.3CVSS
5.4AI Score
0.0004EPSS