Easy!Appointments, Easy!Pwnage: CSRF Bypass via Method Confusion
Jan 16, 2026·5 min read·2 visits
Executive Summary (TL;DR)
The Easy!Appointments scheduler fails to validate CSRF tokens for GET requests. Because the application's controllers inadvertently process data from the URL query string, attackers can perform administrative actions (like creating a new admin user) by sending a victim a crafted link. Fixed in version 1.5.3.
A critical Cross-Site Request Forgery (CSRF) vulnerability in Easy!Appointments allows unauthenticated attackers to create administrative accounts by simply tricking an existing admin into clicking a link. The flaw stems from a logic error where CSRF tokens are only validated on POST requests, while sensitive controllers willingly accept GET parameters.
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:PAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Easy!Appointments alextselegidis | <= 1.5.2 | 1.5.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-352 (CSRF) |
| CVSS v4.0 | 7.4 (High) |
| Attack Vector | Network |
| User Interaction | Required (Passive) |
| Impact | Admin Account Creation / Takeover |
| Patch Status | Fixed in 1.5.3 |
MITRE ATT&CK Mapping
The application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.