Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-01-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL injection
Action: Apply Patch
AI Analysis

Impact

The plugin contains a blind SQL injection vulnerability that allows unauthenticated attackers to supply malicious input through the `order` and `append_where_sql` parameters. By inserting crafted SQL fragments, an attacker can append additional statements to the existing query and extract data from the database. The nature of the flaw is a classic SQL injection (CWE‑89) and does not enable remote code execution, but it can compromise the confidentiality of sensitive site information.

Affected Systems

The vulnerability affects the WordPress plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin from croixhaug. All released versions up to and including 1.6.9.9 are impacted. Users who rely on this plugin for booking functionality must check their current installations against this version range.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact severity, while the EPSS score of less than 1% shows that exploit attempts are unlikely in the current environment. The plugin is listed as not in the CISA KEV catalog, and the vulnerability is exploitable via unauthenticated HTTP requests to the WordPress site. Because no privileged access is required, the risk to sites that expose the plugin’s endpoints remains high for attackers that map the affected URLs.

Generated by OpenCVE AI on April 22, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a version newer than 1.6.9.9, which removes the vulnerable code paths.
  • If an update is not immediately possible, restrict access to plugin configuration pages or disable the plugin for unauthenticated users until an update can be applied.
  • Verify that the WordPress installation is current and that no other plugins provide similar vulnerable parameters.

Generated by OpenCVE AI on April 22, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:43.838Z

Reserved: 2025-10-24T14:17:49.038Z

Link: CVE-2025-12166

cve-icon Vulnrichment

Updated: 2026-01-15T14:37:28.564Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T23:15:54.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses