CVE-2026-1708
Blind SQL Injection in Simply Schedule Appointments Booking Plugin
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | simply_schedule_appointments | to 1.6.9.27 (inc) |
| wordfence | simply_schedule_appointments | 2.7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to a blind SQL Injection in all versions up to and including 1.6.9.27.
This vulnerability arises because the method `db_where_conditions` in the `TD_DB_Model` class does not properly prevent the `append_where_sql` parameter from being passed through JSON request bodies. It only checks for this parameter in the `$_REQUEST` superglobal, missing the JSON payloads.
As a result, an unauthenticated attacker who has obtained a valid `public_token` (which is inadvertently exposed during the booking flow) can append arbitrary SQL commands to database queries via the `append_where_sql` parameter in JSON payloads, allowing them to extract sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform blind SQL Injection attacks on the plugin's database.
The impact includes the potential extraction of sensitive information from the database without authorization.
Because the attacker can append arbitrary SQL commands, they may be able to access confidential data stored by the plugin, which could lead to data breaches or exposure of private user information.
The CVSS v3.1 base score of 7.5 indicates a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability involves the `append_where_sql` parameter being passed through JSON request bodies, which can be exploited by unauthenticated attackers who have obtained a valid `public_token`. Detection would involve monitoring for unusual or unauthorized JSON payloads containing the `append_where_sql` parameter in requests to the Appointment Booking Calendar plugin endpoints.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is a blind SQL injection via JSON payloads, detection can include inspecting HTTP request bodies for the presence of the `append_where_sql` parameter in JSON data, especially if accompanied by a `public_token`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity could include using network traffic inspection tools or command-line utilities like curl or tcpdump combined with grep or jq to filter for suspicious JSON requests.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture HTTP POST requests to the WordPress site and filter for JSON bodies containing "append_where_sql".'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'append_where_sql'"}, {'type': 'list_item', 'content': 'Use curl to replay or test endpoints with crafted JSON payloads containing the `append_where_sql` parameter to verify if the server processes them.'}, {'type': 'list_item', 'content': 'Example curl command to test: curl -X POST -H "Content-Type: application/json" -d \'{"append_where_sql":"1=1"}\' https://yourwordpresssite.com/wp-json/endpoint'}] [5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin to version 1.6.9.29 or later, where the vulnerability has been addressed by adding validation to prevent SQL injection via the `append_where_sql` parameter.
The update ensures that the `append_where_sql` parameter is not accepted from user-controllable inputs such as JSON request bodies, $_REQUEST, or $_FILES, effectively blocking unauthenticated attackers from injecting arbitrary SQL.
If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the booking endpoints to trusted IP addresses to prevent exploitation.
Additionally, monitor logs for suspicious requests containing the `append_where_sql` parameter and revoke or rotate any exposed `public_token` values if possible.