CVE-2026-39493

Vulnerability

An SQL injection vulnerability exists in the WordPress plugin Simply Schedule Appointments in versions up to and including 1.6.9.27. The bug allows an unauthenticated attacker to inject arbitrary SQL queries via input parameters without requiring any prior authentication or special configuration. The vulnerable code path is reachable from the public-facing interface of the plugin. [1]

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability by sending a crafted HTTP request containing malicious SQL in an unsanitized parameter. No authentication, user interaction, or elevated privileges are required. The lack of input validation enables direct injection into database queries, allowing the attacker to execute arbitrary SQL commands. [1]

Impact

Successful exploitation leads to a compromise of database confidentiality, integrity, and availability (CIA). The attacker can extract sensitive information (including user credentials and site data), modify or delete database content, and potentially gain further access to the server or other hosted applications. The vulnerability is rated with a CVSS v3 score of 9.3 (Critical) and is expected to be used in mass-exploit campaigns against thousands of sites. [1]

Mitigation

The vulnerability is fixed in version 1.6.9.29. Users should update to this version or later immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until a patch can be applied. No workaround other than updating or using the mitigation rule is documented. The plugin is actively maintained; no EOL status or KEV listing is mentioned in the references. [1]