WordPress Plugin Vulnerabilities

Appointment Booking Calendar < 1.6.9.29 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.

Affects Plugins

Plugin icon
simply-schedule-appointments
Fixed in 1.6.9.29

References

CVE
CVE-2026-1708
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/71642341-9fe0-44a9-88f3-70167dc6ca62

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Original Researcher
d.v4n_s3c
Verified
No
WPVDB ID
395e0a1e-c846-4701-9e02-4e98cb808820

Timeline

Publicly Published
2026-03-10 (about 2 months ago)
Added
2026-03-10 (about 2 months ago)
Last Updated
2026-03-11 (about 2 months ago)

Other

Published
Title
Published
2026-01-20
Title
Koko Analytics < 2.1.3 - Unauthenticated SQL Injection
Published
2024-07-30
Title
Registrations for the Events Calendar – Event Registration Plugin < 2.12.3 - Authenticated (Contributor+) SQL Injection
Published
2025-02-24
Title
Yawave <= 2.9.1 - Unauthenticated SQL Injection
Published
2025-08-08
Title
MapSVG < 8.7.4 - Unauthenticated SQL Injection
Published
2021-10-11
Title
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection