Platform
wordpress
Component
simply-schedule-appointments
Fixed in
1.6.9.29
CVE-2026-39493 affects the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress. This vulnerability stems from insufficient input sanitization, allowing attackers to inject malicious SQL code. Exploitation can lead to unauthorized access to sensitive database information. The vulnerability impacts versions up to and including 1.6.9.27, and a patch is available in version 1.6.9.29.
The SQL Injection vulnerability in Simply Schedule Appointments allows an unauthenticated attacker to manipulate database queries. Successful exploitation could enable attackers to extract sensitive data such as user credentials (usernames, passwords, email addresses), appointment details, and potentially other stored information. The attacker could also modify data, leading to data corruption or denial of service. While direct remote code execution is unlikely, the ability to extract database credentials could facilitate lateral movement within the WordPress environment, potentially compromising other plugins or the core WordPress installation itself. The blast radius extends to any data stored within the plugin's database, making it a significant risk for organizations relying on this plugin for appointment scheduling.
CVE-2026-39493 was published on 2026-04-08. Severity is rated as High (CVSS 7.5). Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Monitor WordPress security forums and vulnerability databases for updates.
Exploit Status
CVSS Vector
The primary mitigation for CVE-2026-39493 is to immediately upgrade the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin to version 1.6.9.29 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the vulnerable parameter. Specifically, look for unusual characters or SQL keywords in user input. Additionally, review and harden database user permissions to limit the potential damage from a successful SQL injection attack. After upgrading, confirm the fix by attempting a SQL injection payload against the vulnerable endpoint and verifying that it is properly sanitized.
Update to version 1.6.9.29, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a SQL Injection vulnerability in the Simply Schedule Appointments WordPress plugin, allowing attackers to potentially extract sensitive data from the database.
If you're using the Appointment Booking Calendar plugin version 1.6.9.27 or earlier, you are vulnerable. Check your plugin versions immediately.
Upgrade the plugin to version 1.6.9.29 or later. If upgrading isn't possible, implement a WAF rule to filter malicious SQL injection attempts.
Currently, there are no publicly known exploits, but it's crucial to patch promptly to prevent future exploitation.
Refer to the official WordPress security advisories and the plugin developer's website for updates and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.