CVE-2026-7797

Vulnerability

The vulnerability is a time-based blind SQL injection in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, affecting all versions up to and including 1.6.11.8 [1][2][3]. The injection occurs via the append_where_sql parameter due to insufficient escaping and lack of prepared statements in the SQL query construction. The vulnerable code is located in the class-td-db-model.php file [1][2][3]. The /appointments/bulk REST endpoint is reachable without authentication because its permission check accepts a public nonce embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce), visible to all site visitors.

Exploitation

An unauthenticated attacker can exploit this by sending a PUT request to the /appointments/bulk endpoint with an application/x-www-form-urlencoded body. This request format ensures that PHP's superglobals are not populated, causing the blocklist check to silently pass. The attacker then injects malicious SQL via the append_where_sql parameter, using time-based techniques to infer data from the database.

Impact

Successful exploitation allows an attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data. The attack is blind (time-based), meaning the attacker must observe response delays to infer data, but no authentication is required.

Mitigation

The vulnerability is fixed in version 1.6.11.9, released on the WordPress plugin repository [4]. Users should update to version 1.6.11.9 or later immediately. No workarounds are available for unpatched versions. The plugin is not listed on the CISA KEV as of the publication date.