CVE-2026-7493
Received Received - Intake
Denial of Service in Simply Schedule Appointments WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-7493
EUVD
EUVD-2026-32036
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simply_schedule_appointments appointment_booking_calendar to 1.6.11.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin for WordPress has a vulnerability that allows denial of service attacks. This happens because a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) uses PHP's sleep() function with a user-supplied delay parameter without any rate limiting.

An attacker can exploit this by sending many requests that cause PHP processes to sleep, which exhausts the available PHP worker processes and prevents legitimate users from accessing the site.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial of service on your WordPress site using the affected plugin. An attacker can make the site unresponsive by exhausting PHP worker processes, which means legitimate users will be unable to access the site or use its appointment booking features.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual or excessive requests to the REST API endpoint /wp-json/ssa/v1/async on your WordPress site.

Specifically, you can look for repeated unauthenticated requests that include a delay parameter causing PHP's sleep() function to be invoked.

Commands to detect this might include using web server logs or network monitoring tools to filter requests to the vulnerable endpoint.

  • Using grep on access logs: grep "/wp-json/ssa/v1/async" /var/log/apache2/access.log
  • Using curl to test the endpoint: curl -v "https://yourdomain.com/wp-json/ssa/v1/async?delay=10"
  • Monitoring PHP worker usage to detect exhaustion, e.g., using top or ps commands.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable REST API endpoint to prevent unauthenticated requests.

You can implement rate limiting on the /wp-json/ssa/v1/async endpoint to prevent abuse of the sleep() function.

Alternatively, temporarily disabling or blocking access to the endpoint via web server configuration or firewall rules can reduce the risk.

Updating the Appointment Booking Calendar plugin to a version later than 1.6.11.5, once available, is recommended for a permanent fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart