{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1708", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-30T16:27:23.329Z", "datePublished": "2026-03-11T07:36:24.758Z", "dateUpdated": "2026-04-08T17:00:33.989Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:33.989Z"}, "affected": [{"vendor": "croixhaug", "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.9.27", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow."}], "title": "Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71642341-9fe0-44a9-88f3-70167dc6ca62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1019"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1019"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1025"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1025"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1340"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1340"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1413"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1413"}, {"url": "https://plugins.trac.wordpress.org/changeset/3475885/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Thanh Hao"}], "timeline": [{"time": "2026-01-30T16:42:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T19:14:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:50:25.957126Z", "id": "CVE-2026-1708", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:50:40.662Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:50:25.957126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:50:34.664Z"}}], "cna": {"title": "Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Thanh Hao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "croixhaug", "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6.9.27"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T16:42:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T19:14:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71642341-9fe0-44a9-88f3-70167dc6ca62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1019"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1019"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1025"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1025"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1340"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1340"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1413"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1413"}, {"url": "https://plugins.trac.wordpress.org/changeset/3475885/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-11T07:36:24.758Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1708", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:50:40.662Z", "dateReserved": "2026-01-30T16:27:23.329Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T07:36:24.758Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow."}, {"lang": "es", "value": "El plugin Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin para WordPress es vulnerable a inyecci\u00f3n SQL ciega en todas las versiones hasta, e incluyendo, la 1.6.9.27. Esto se debe a que el m\u00e9todo 'db_where_conditions' en la clase 'TD_DB_Model' no evita que el par\u00e1metro 'append_where_sql' se pase a trav\u00e9s de los cuerpos de las solicitudes JSON, mientras que solo verifica su presencia en la superglobal '$_REQUEST'. Esto hace posible que atacantes no autenticados a\u00f1adan comandos SQL arbitrarios a las consultas y extraigan informaci\u00f3n sensible de la base de datos a trav\u00e9s del par\u00e1metro 'append_where_sql' en las cargas \u00fatiles JSON, siempre que hayan obtenido un 'public_token' v\u00e1lido que se expone inadvertidamente durante el flujo de reserva."}], "id": "CVE-2026-1708", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T08:16:03.150", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1340"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1413"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1019"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/lib/td-util/class-td-db-model.php#L1025"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1340"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1413"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1019"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1025"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3475885/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71642341-9fe0-44a9-88f3-70167dc6ca62?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.9.27]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin", "source": "cna", "vendor": "croixhaug"}, "product": "appointment_booking_calendar_\u2014_simply_schedule_appointments_booking_plugin", "vendor": "croixhaug"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T14:59:28.871377+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of the Appointment Booking Calendar \u2013 Simply Schedule Appointments Booking Plugin if one is available", "If an update is not feasible, modify the plugin to block or sanitize the append_where_sql parameter in JSON requests, or disable the TD_DB_Model usage", "Restrict exposure of the public_token by tightening access controls or removing the public_token mechanism entirely", "Maintain overall WordPress security hygiene: stay current with core, theme, and plugin updates, implement web\u2011application firewall rules, and monitor logs for suspicious activity"], "summary": {"action": "Patch", "impact": "SQL Injection leading to data exfiltration"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress plugin Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin with version 1.6.9.27 or earlier are affected. The issue resides in the plugin\u2019s backend database abstraction layer and is present in any WordPress site that has this plugin active prior to the stated release. No information indicates that later releases have fixed the flaw, so sites running the affected version range remain at risk.", "description_and_impact": "The vulnerability is a blind SQL injection that permits attackers to append arbitrary SQL fragments to database queries. It originates from the TD_DB_Model component, where the append_where_sql parameter received via JSON request bodies is forwarded to MySQL without proper sanitization, while Only its presence in the $_REQUEST superglobal is checked. This flaw, identified as CWE\u201189, enables unauthenticated attackers to retrieve sensitive content from the database if they possess a valid public_token that may be inadvertently exposed during the booking flow. The resulting impact includes potential confidentiality breaches and possible integrity violations if malicious commands are executed.", "risk_and_exploitability": "The CVSS v3.1 score of 7.5 classifies the vulnerability as High severity. The EPSS score of <1\u202f% suggests that exploitation likelihood is currently low, and the flaw is not listed in the CISA KEV catalog. Attackers require access to a public_token, obtainable during normal booking interactions, and the ability to send a crafted JSON payload to the plugin\u2019s endpoint. Because the vulnerability is unauthenticated, broad target coverage exists, but the commercial popularity of the plugin and the specific requirement for a publicly exposed token reduce the immediate exploitation probability."}}}}, "created": "2026-03-12T10:06:17.073584+00:00", "updated": "2026-03-20T14:37:38.146650+00:00", "vendors": ["croixhaug", "croixhaug$PRODUCT$appointment_booking_calendar_\u2014_simply_schedule_appointments_booking_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}