Medium severity5.3NVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-7493
CVE-2026-7493
Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.6.11.5+ 1 more
- (no CPE)range: <=1.6.11.5
- (no CPE)range: <=1.6.11.5
Patches
Vulnerability mechanics
References
2News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026