Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin is vulnerable to denial of service in all versions up to and including 1.6.11.5. An unauthenticated attacker can trigger the publicly accessible REST API endpoint /wp-json/ssa/v1/async, which passes a user‑supplied delay parameter directly to PHP's sleep() function. Because the endpoint lacks rate limiting, an attacker can repeatedly invoke it to exhaust PHP worker processes, forcing the website to become unavailable to legitimate users. The weakness is a classic resource exhaustion flaw identified as CWE‑400.

Affected Systems

Any WordPress installation running the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.11.5 or earlier. The plugin is distributed under the croixhaug vendor namespace. No specific environment or configuration is required for exploitation; the endpoint is publicly reachable.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium severity range. It is not listed in the CISA KEV catalog and its EPSS score is not available, indicating no current data on exploit probability. The attack vector is likely network‑based, because the endpoint is exposed to all visitors. An attacker needs no credentials and no special privileges; the vulnerability can be abused by simply sending repeated HTTP requests to the API, making the issue highly actionable and easy to exploit.

Generated by OpenCVE AI on May 27, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version (any release newer than 1.6.11.5) to remove the vulnerable endpoint.
  • If an immediate update is unavailable, restrict access to /wp-json/ssa/v1/async to authenticated users or implement server‑side rate limiting such that repeated requests are throttled or blocked.
  • Ensure PHP worker limits are appropriately configured and consider restarting the PHP process pool if repeated DoS attempts are detected.

Generated by OpenCVE AI on May 27, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Wed, 27 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
Title Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:42:08.465Z

Reserved: 2026-04-30T12:14:44.725Z

Link: CVE-2026-7493

cve-icon Vulnrichment

Updated: 2026-05-27T10:42:01.256Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T02:16:34.770

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-7493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T03:30:06Z

Weaknesses