The vulnerability is rooted in the Appointment Booking Calendar plugin's use of the hash() function with a fallback salt that is hardcoded. When instances of the plugin do not have a custom salt specified in the WordPress configuration file (wp-config.php), the same fallback salt is used across all installations. This oversight enables attackers to generate valid authentication tokens. Once a token is generated using the common fall-back salt, it can be used to gain unauthorized access to sensitive booking information. Attackers could exploit this vulnerability to view or modify booking data, disrupting operations and potentially leading to further security implications. The severity is as yet unclassified, but the exposure of sensitive information presents tangible risks to websites using this plugin.

To mitigate this vulnerability, administrators should manually set a unique salt in the wp-config.php file for the plugin. Additionally, review and modify access controls and permissions related to sensitive booking data to limit potential risks from unauthorized access.