CVE-2026-7797
Received Received - Intake
Time-Based Blind SQL Injection in Appointment Booking Calendar WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-7797
EUVD
EUVD-2026-32739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simply_schedule_appointments appointment_booking_calendar to 1.6.11.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin for WordPress has a time-based blind SQL Injection vulnerability in the 'append_where_sql' parameter in all versions up to 1.6.11.8. This occurs because the plugin does not properly escape user-supplied input and does not sufficiently prepare the existing SQL query. As a result, unauthenticated attackers can append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

The vulnerability is exploitable via the /appointments/bulk REST endpoint, which is accessible without authentication due to a permission check that accepts a public nonce embedded in the booking widget's frontend JavaScript. Attackers can exploit this by sending a PUT request with an application/x-www-form-urlencoded body, bypassing PHP superglobal population and blocklist checks.

Impact Analysis

This vulnerability can allow unauthenticated attackers to extract sensitive information from your website's database by injecting SQL queries. Since the attack does not require authentication, it poses a significant risk of data exposure. The extracted data could include personal information, booking details, or other confidential data stored in the database.

The CVSS score of 7.5 indicates a high severity impact, meaning the vulnerability can lead to serious confidentiality breaches without requiring user interaction or privileges.

Compliance Impact

This vulnerability allows unauthenticated attackers to perform time-based blind SQL Injection to extract sensitive information from the database.

Exposure of sensitive information due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Therefore, exploitation of this vulnerability may result in violations of these standards by compromising the confidentiality of protected data.

Detection Guidance

This vulnerability involves a time-based blind SQL Injection via the 'append_where_sql' parameter in the Appointment Booking Calendar plugin. Detection would involve monitoring for unusual PUT requests to the /appointments/bulk REST endpoint with application/x-www-form-urlencoded bodies, as exploitation requires such requests.

Since the vulnerability exploits unauthenticated access using a public nonce visible in frontend JavaScript, detection can include inspecting web server logs for PUT requests to /appointments/bulk and analyzing request bodies for suspicious SQL injection patterns.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

However, general best practices would include updating the Appointment Booking Calendar plugin to a version later than 1.6.11.8 where the vulnerability is fixed, restricting or monitoring access to the /appointments/bulk REST endpoint, and applying web application firewall rules to block suspicious PUT requests with SQL injection payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart