CVE-2026-7493
Deferred Deferred - Pending Action
Denial of Service in Simply Schedule Appointments WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7493
EUVD
EUVD-2026-32036
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simply_schedule_appointments appointment_booking_calendar to 1.6.11.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes a denial of service by exhausting PHP worker processes through an unauthenticated REST API endpoint. It does not directly impact the confidentiality or integrity of data.

Since the vulnerability does not involve unauthorized access to personal or sensitive data, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on data protection and privacy.

However, denial of service could indirectly affect availability requirements under these regulations, potentially impacting service continuity obligations.

Executive Summary

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin for WordPress has a vulnerability that allows denial of service attacks. This happens because a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) uses PHP's sleep() function with a user-supplied delay parameter without any rate limiting.

An attacker can exploit this by sending many requests that cause PHP processes to sleep, which exhausts the available PHP worker processes and prevents legitimate users from accessing the site.

Impact Analysis

This vulnerability can impact you by causing a denial of service on your WordPress site using the affected plugin. An attacker can make the site unresponsive by exhausting PHP worker processes, which means legitimate users will be unable to access the site or use its appointment booking features.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive requests to the REST API endpoint /wp-json/ssa/v1/async on your WordPress site.

Specifically, you can look for repeated unauthenticated requests that include a delay parameter causing PHP's sleep() function to be invoked.

Commands to detect this might include using web server logs or network monitoring tools to filter requests to the vulnerable endpoint.

  • Using grep on access logs: grep "/wp-json/ssa/v1/async" /var/log/apache2/access.log
  • Using curl to test the endpoint: curl -v "https://yourdomain.com/wp-json/ssa/v1/async?delay=10"
  • Monitoring PHP worker usage to detect exhaustion, e.g., using top or ps commands.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable REST API endpoint to prevent unauthenticated requests.

You can implement rate limiting on the /wp-json/ssa/v1/async endpoint to prevent abuse of the sleep() function.

Alternatively, temporarily disabling or blocking access to the endpoint via web server configuration or firewall rules can reduce the risk.

Updating the Appointment Booking Calendar plugin to a version later than 1.6.11.5, once available, is recommended for a permanent fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart