Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data exfiltration
Action: Patch
AI Analysis

Impact

The vulnerability is a blind SQL injection that permits attackers to append arbitrary SQL fragments to database queries. It originates from the TD_DB_Model component, where the append_where_sql parameter received via JSON request bodies is forwarded to MySQL without proper sanitization, while Only its presence in the $_REQUEST superglobal is checked. This flaw, identified as CWE‑89, enables unauthenticated attackers to retrieve sensitive content from the database if they possess a valid public_token that may be inadvertently exposed during the booking flow. The resulting impact includes potential confidentiality breaches and possible integrity violations if malicious commands are executed.

Affected Systems

All installations of the WordPress plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin with version 1.6.9.27 or earlier are affected. The issue resides in the plugin’s backend database abstraction layer and is present in any WordPress site that has this plugin active prior to the stated release. No information indicates that later releases have fixed the flaw, so sites running the affected version range remain at risk.

Risk and Exploitability

The CVSS v3.1 score of 7.5 classifies the vulnerability as High severity. The EPSS score of <1 % suggests that exploitation likelihood is currently low, and the flaw is not listed in the CISA KEV catalog. Attackers require access to a public_token, obtainable during normal booking interactions, and the ability to send a crafted JSON payload to the plugin’s endpoint. Because the vulnerability is unauthenticated, broad target coverage exists, but the commercial popularity of the plugin and the specific requirement for a publicly exposed token reduce the immediate exploitation probability.

Generated by OpenCVE AI on March 17, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin if one is available
  • If an update is not feasible, modify the plugin to block or sanitize the append_where_sql parameter in JSON requests, or disable the TD_DB_Model usage
  • Restrict exposure of the public_token by tightening access controls or removing the public_token mechanism entirely
  • Maintain overall WordPress security hygiene: stay current with core, theme, and plugin updates, implement web‑application firewall rules, and monitor logs for suspicious activity

Generated by OpenCVE AI on March 17, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
Title Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:50:40.662Z

Reserved: 2026-01-30T16:27:23.329Z

Link: CVE-2026-1708

cve-icon Vulnrichment

Updated: 2026-03-11T13:50:34.664Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T08:16:03.150

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-1708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:38Z

Weaknesses