SQL Injection Vulnerability in Simply Schedule Appointments Plugin for WordPress
CVE-2026-7797

7.5HIGH

Key Information:

Vendor: WordPress
Status: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-7797?

The Simply Schedule Appointments Booking Plugin for WordPress, in versions up to and including 1.6.11.8, is susceptible to a time-based blind SQL Injection vulnerability. This flaw arises from inadequate escaping of the 'append_where_sql' parameter, allowing unauthenticated attackers to inject malicious SQL queries into existing ones. The vulnerability can be exploited through the /appointments/bulk REST endpoint, which improperly verifies permissions by accepting a public nonce, making it visible in the frontend JavaScript. Attackers can exploit this vulnerability by issuing a specially crafted PUT request, bypassing security checks and potentially gaining access to sensitive database information.

Affected Version(s)

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 0 <= 1.6.11.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simply-schedul...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 4, 2026

Credit

daroo

CVE-2026-7797 Data

JSON