Medium severity5.3NVD Advisory· Published May 27, 2026

CVE-2026-7493

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Simply Schedule Appointments Booking plugin for WordPress (≤1.6.11.5) exposes an unauthenticated REST endpoint that allows attackers to cause denial of service by triggering PHP sleep() without rate limiting.

Vulnerability

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress contains a publicly accessible REST API endpoint at /wp-json/ssa/v1/async that accepts a user-supplied delay parameter. The endpoint calls PHP's sleep() function with this value without any rate limiting or authentication checks. This affects all versions up to and including 1.6.11.5. The vulnerable code is present in the class-async-action-model.php file [1].

Exploitation

An unauthenticated attacker can send repeated HTTP requests to the /wp-json/ssa/v1/async endpoint, specifying a large delay value. Each request causes the PHP worker process to sleep for the specified duration, tying up the worker. By sending many concurrent requests, the attacker can exhaust all available PHP worker processes, preventing the server from handling legitimate requests.

Impact

Successful exploitation results in a denial of service (DoS) condition. Legitimate users are unable to access the WordPress site because PHP workers are occupied by the sleeping requests. No data is compromised, but availability is severely impacted.

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. The vendor has not disclosed a patch or workaround in the available references. Site administrators should consider disabling the REST endpoint via a firewall or web server rule, or implementing rate limiting on the /wp-json/ssa/v1/async path until an official update is provided.

References

https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.2/includes/class-async-action-model.php#L173

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Simply Schedule Appointmentsinferred2 versions
<=1.6.11.5+ 1 more
- (no CPE)range: <=1.6.11.5
- (no CPE)range: <=1.6.11.5
Package: https://wordpress.org/plugins/simply-schedule-appointments

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000