HIGH 7.5

CVE-2026-7797: SQL Injection in WordPress Appointment Booking Plugin – What You Need to Know

The Appointment Booking Calendar plugin for WordPress contains a SQL injection vulnerability that allows unauthenticated attackers to query the site's database and extract sensitive information. The vulnerability exists in how the plugin processes appointment booking requests through a REST API endpoint, accepting malicious SQL code without proper validation. Attackers can exploit this remotely without needing a user account on the WordPress site.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7797 is a time-based blind SQL injection flaw in the Simply Schedule Appointments Booking Plugin affecting all versions through 1.6.11.8. The vulnerability resides in the 'append_where_sql' parameter handled by the /appointments/bulk REST endpoint. The endpoint implements permission checks via a public nonce value (ssa.api.public_nonce) that is embedded in frontend JavaScript and exposed to all visitors, making it unauthenticated-accessible. Exploitation requires sending a PUT request with application/x-www-form-urlencoded encoding, which prevents PHP's superglobals from being populated and allows the request to bypass a blocklist check. The underlying SQL query lacks sufficient preparation and parameter escaping, enabling attackers to append arbitrary SQL commands that can extract data through time-based inference techniques.

Business impact

A successful exploitation allows attackers to extract sensitive customer data from WordPress databases, including appointment booking details, contact information, and potentially payment or personal identifiers. For service-based businesses relying on this plugin, data breaches could result in regulatory penalties (GDPR, state privacy laws), loss of customer trust, remediation costs, and reputational damage. The unauthenticated nature of the attack means any visitor to an affected website can potentially initiate exploitation without detection through normal access controls.

Affected systems

WordPress installations running the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin in versions up to and including 1.6.11.8 are vulnerable. The plugin's prevalence in WordPress repositories means exposure could be widespread across small-to-medium business websites, scheduling services, consulting firms, and healthcare providers that use appointment management features.

Exploitability

Exploitability is straightforward: the attack requires no authentication, no user interaction, and can be executed over the network with basic HTTP tools. The public nonce embedded in frontend JavaScript provides the attacker with a valid permission token visible in page source code. While exploitation uses time-based blind SQL injection (which is slower than error-based or union-based techniques), modern databases and low-latency networks make data extraction feasible. The specific requirement for PUT requests with form-encoded bodies is a minor technical constraint that does not significantly raise the exploitation bar.

Remediation

Update the Appointment Booking Calendar plugin to a patched version released after 1.6.11.8. Verify the vendor advisory for the specific minimum version that resolves this issue. As an interim mitigation, disable or restrict access to the /appointments/bulk REST endpoint if not actively used, or implement Web Application Firewall (WAF) rules to block suspicious SQL patterns in appointment-related requests. Consider disabling REST API access entirely if the plugin does not require it for critical functionality.

Patch guidance

Priority should be placed on applying a vendor-supplied patch as soon as one is available and tested in a staging environment. Monitor the plugin's official repository and security announcements for patch releases. After patching, verify that appointment booking functionality remains intact by testing common workflows. If a patch is delayed or unavailable, evaluate alternative appointment booking plugins with stronger security practices or maintained code bases.

Detection guidance

Monitor Web server logs and WAF logs for PUT requests to /appointments/bulk endpoints containing SQL keywords (SELECT, UNION, OR, AND) or time-delay functions (SLEEP, BENCHMARK, WAITFOR) in the 'append_where_sql' parameter. Implement database query logging to detect unusual query patterns or long-running queries originating from the appointment booking logic. Search for patterns like encoded SQL syntax (%27 for quotes, %20 for spaces) in URL parameters. Check database access logs for queries extracting sensitive tables (wp_users, wp_postmeta, or custom user data tables) initiated by the web application.

Why prioritize this

This vulnerability should receive immediate attention due to its high CVSS score (7.5), unauthenticated exploitability, and direct impact on confidentiality of customer data. The widespread use of WordPress and this plugin in business-critical appointment scheduling means the attack surface is large. The ease of exploitation and the simplicity of obtaining the required nonce make this a likely target for opportunistic attackers scanning for vulnerable installations.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N) and a high impact on confidentiality (C:H) with no integrity or availability impact. The score does not account for the widespread prevalence of the plugin or the sensitivity of appointment booking data, both of which may increase practical risk in real-world deployments.

Frequently asked questions

Can attackers modify or delete data, or just read it?

Based on the vulnerability description, this SQL injection allows data extraction (high confidentiality impact) but does not confer write or delete capabilities. The impact is limited to confidentiality (C:H/I:N/A:N). However, depending on database permissions and the specific SQL queries an attacker crafts, privilege escalation could theoretically occur if the web application database user has broader permissions.

Do I need an active appointment booking form on my site to be vulnerable?

The plugin must be installed and activated for the /appointments/bulk endpoint to be accessible. However, a visible booking widget is not strictly required—the endpoint is reachable at the REST API path regardless of frontend exposure. Any WordPress site running the vulnerable plugin version is exposed.

How do I know if my site has been exploited?

Check database access logs and web server logs for unusual POST/PUT requests to /appointments/bulk with suspicious parameter values. Look for slow queries or database query errors in your WordPress debug log (if enabled). Query your database directly to audit whether customer data (names, emails, phone numbers, appointment details) has been accessed or appears compromised based on unexpected access timestamps.

Is there a temporary workaround if I cannot patch immediately?

Disable the REST API entirely (if not needed), restrict /appointments/bulk access via WAF or .htaccess rules, or rename the plugin folder to deactivate it temporarily. A more targeted approach is to disable the specific endpoint via WordPress plugin configuration if the plugin provides an option. However, these are temporary measures—patching is the permanent solution.

This analysis is based on published vulnerability details and vendor information available as of the date of writing. CVSS scores and vulnerability classifications are subject to change based on additional context or vendor updates. Organizations should verify patch availability and version-specific guidance directly with the plugin vendor before deploying updates. This writeup does not constitute legal or compliance advice; organizations handling sensitive customer data should consult privacy and legal teams regarding breach notification and regulatory obligations. The attack techniques described are provided for defensive understanding only; unauthorized access to computer systems is illegal. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).