CVE-2025-50383

Published Aug 25, 2025

Last updated 7 months ago

CVSS high 8.1

Overview

Description
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
Source
cve@mitre.org
NVD status
Analyzed
Products
easy\!appointments

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.2
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-89

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.CVE-2026-23622
  2. Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.CVE-2025-29448
  3. Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2.CVE-2025-31828
  4. The Easy!Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyappointments' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2024-0698

References

Sources include official advisories and independent security research.