CVE-2026-1708
Received Received - Intake
Blind SQL Injection in Simply Schedule Appointments Booking Plugin

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1708
EUVD
EUVD-2026-11117
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence simply_schedule_appointments to 1.6.9.27 (inc)
wordfence simply_schedule_appointments 2.7.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to a blind SQL Injection in all versions up to and including 1.6.9.27.

This vulnerability arises because the method `db_where_conditions` in the `TD_DB_Model` class does not properly prevent the `append_where_sql` parameter from being passed through JSON request bodies. It only checks for this parameter in the `$_REQUEST` superglobal, missing the JSON payloads.

As a result, an unauthenticated attacker who has obtained a valid `public_token` (which is inadvertently exposed during the booking flow) can append arbitrary SQL commands to database queries via the `append_where_sql` parameter in JSON payloads, allowing them to extract sensitive information from the database.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform blind SQL Injection attacks on the plugin's database.

The impact includes the potential extraction of sensitive information from the database without authorization.

Because the attacker can append arbitrary SQL commands, they may be able to access confidential data stored by the plugin, which could lead to data breaches or exposure of private user information.

The CVSS v3.1 base score of 7.5 indicates a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability involves the `append_where_sql` parameter being passed through JSON request bodies, which can be exploited by unauthenticated attackers who have obtained a valid `public_token`. Detection would involve monitoring for unusual or unauthorized JSON payloads containing the `append_where_sql` parameter in requests to the Appointment Booking Calendar plugin endpoints.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is a blind SQL injection via JSON payloads, detection can include inspecting HTTP request bodies for the presence of the `append_where_sql` parameter in JSON data, especially if accompanied by a `public_token`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity could include using network traffic inspection tools or command-line utilities like curl or tcpdump combined with grep or jq to filter for suspicious JSON requests.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture HTTP POST requests to the WordPress site and filter for JSON bodies containing "append_where_sql".'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'append_where_sql'"}, {'type': 'list_item', 'content': 'Use curl to replay or test endpoints with crafted JSON payloads containing the `append_where_sql` parameter to verify if the server processes them.'}, {'type': 'list_item', 'content': 'Example curl command to test: curl -X POST -H "Content-Type: application/json" -d \'{"append_where_sql":"1=1"}\' https://yourwordpresssite.com/wp-json/endpoint'}] [5]

Mitigation Strategies

Immediate mitigation steps include updating the Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin to version 1.6.9.29 or later, where the vulnerability has been addressed by adding validation to prevent SQL injection via the `append_where_sql` parameter.

The update ensures that the `append_where_sql` parameter is not accepted from user-controllable inputs such as JSON request bodies, $_REQUEST, or $_FILES, effectively blocking unauthenticated attackers from injecting arbitrary SQL.

If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the booking endpoints to trusted IP addresses to prevent exploitation.

Additionally, monitor logs for suspicious requests containing the `append_where_sql` parameter and revoke or rotate any exposed `public_token` values if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart