Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The booking plugin contains a time‑based blind SQL injection that allows unauthenticated attackers to append arbitrary SQL through the ‘append_where_sql’ parameter. By injecting crafted statements, an attacker can read, modify, or delete database contents, potentially compromising the entire WordPress site. The weakness is a classic injection flaw that directly harms confidentiality and integrity.

Affected Systems

Croixhaug’s "Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin" is affected in all releases up to and including 1.6.11.8. Users running these versions, whether on public or internal sites, are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity flaw, and while EPSS data is unavailable, the public nonce embedded in the widget makes the REST endpoint reachable to any visitor. The attack requires only a crafted PUT request with an application/x‑www‑form‑urlencoded body, bypassing the blocklist check. The plugin is not listed in KEV, yet any site deploying the vulnerable version faces significant risk of data exposure or unauthorized database manipulation.

Generated by OpenCVE AI on May 28, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 1.6.11.9 or newer where the injection is fixed.
  • If an update cannot be applied immediately, disable or restrict the /appointments/bulk REST endpoint so that only authenticated users can access it.
  • Ensure that future database queries in the plugin use prepared statements and proper input sanitization to eliminate injection vectors.

Generated by OpenCVE AI on May 28, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress
Vendors & Products Croixhaug
Croixhaug appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress
Wordpress wordpress

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.
Title Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:33:24.502Z

Reserved: 2026-05-04T19:10:12.014Z

Link: CVE-2026-7797

cve-icon Vulnrichment

Updated: 2026-05-28T10:33:18.975Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:37.360

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses