CVE-2026-23622
📋 TL;DR
This CSRF vulnerability in Easy!Appointments allows attackers to perform state-changing operations via crafted GET requests, bypassing CSRF protection. Attackers can create admin accounts, modify admin credentials, and achieve full account takeover. All users running Easy!Appointments version 1.5.2 or earlier are affected.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easy\!appointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
Full administrative account takeover leading to complete compromise of the appointment scheduling system, data theft, and unauthorized access to all user data.
Likely Case
Attackers create unauthorized admin accounts or modify existing admin credentials to gain administrative access to the system.
If Mitigated
With proper CSRF protection on all state-changing endpoints, the vulnerability is eliminated and no exploitation is possible.
🎯 Exploit Status
Exploitation requires the victim to be authenticated as an admin. The attack involves crafting malicious GET requests that the victim's browser automatically executes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.3
Vendor Advisory: https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download version 1.5.3 or later from the official repository. 3. Replace the affected files, particularly application/core/EA_Security.php. 4. Verify the fix by testing CSRF protection on GET requests.
🔧 Temporary Workarounds
Modify CSRF verification logic
allManually patch the EA_Security.php file to enforce CSRF checks on all HTTP methods, not just POST.
Edit application/core/EA_Security.php and modify csrf_verify() to remove early return for non-POST methods
🧯 If You Can't Patch
- Implement strict SameSite cookie attributes for session cookies
- Deploy a WAF with CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your Easy!Appointments version is 1.5.2 or earlier. Review the EA_Security.php file to see if csrf_verify() returns early for non-POST methods.Check Version:
Check the version in the application's configuration files or admin interfaceVerify Fix Applied:
After patching, test that state-changing operations via GET requests now properly require CSRF tokens and fail without them.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to admin endpoints that normally require POST
- Multiple failed CSRF token validations
- Unexpected admin account creation or credential changes
Network Indicators:
- GET requests with state-changing parameters to admin endpoints
- Requests lacking CSRF tokens to endpoints that should require them
SIEM Query:
source="web_logs" AND (uri="*/admin/*" OR uri="*/api/*") AND method="GET" AND (params CONTAINS "action=create" OR params CONTAINS "password" OR params CONTAINS "email")