How is CVE-2026-39493 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the target WordPress host. Authentication (not-required): No account, session token, or credentials of any kind are needed to trigger the injection. Victim interaction (not-required): The attack is fully server-side; no user action or social engineering is needed. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

What is the impact of CVE-2026-39493?

Reads any data stored in the WordPress database, including user account records, password hashes, session tokens, plugin configuration, and any customer or appointment data managed by the plugin. Scope crosses the vulnerable component boundary (S:C), meaning data from tables beyond the plugin itself, such as WooCommerce orders or other co-located plugin tables, is also readable. Limited denial-of-service impact allows an attacker to degrade or disrupt availability of the appointment scheduling service through malformed query execution.

Back to search

CRITICALCVE-2026-39493Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39493: WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability

Q: What is CVE-2026-39493?

An unauthenticated SQL injection vulnerability affects the WordPress plugin Simply Schedule Appointments at version 1.6.9.27 and earlier. The flaw is reachable over the network with no login or credentials required, making it exploitable by any external attacker who can send HTTP requests to a WordPress site running the plugin. Successful exploitation gives an attacker full read access to the database and limited ability to disrupt service availability. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-39493 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment NSquared publishes a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations for affected workloads.

Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress plugin Simply Schedule Appointments at version 1.6.9.27 and earlier. The flaw is reachable over the network with no login or credentials required, making it exploitable by any external attacker who can send HTTP requests to a WordPress site running the plugin. Successful exploitation gives an attacker full read access to the database and limited ability to disrupt service availability. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-39493 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including Patchstack, including custom-built images that bundle the Simply Schedule Appointments plugin. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.3 (Critical), weighted against each customer organization's configured compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer org based on ownership rules defined in their HarborGuard configuration.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment NSquared publishes a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations for affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the target WordPress host.
AuthenticationNot required
No account, session token, or credentials of any kind are needed to trigger the injection.
Victim interactionNot required
The attack is fully server-side; no user action or social engineering is needed.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

Blast Radius

Reads any data stored in the WordPress database, including user account records, password hashes, session tokens, plugin configuration, and any customer or appointment data managed by the plugin.
Scope crosses the vulnerable component boundary (S:C), meaning data from tables beyond the plugin itself, such as WooCommerce orders or other co-located plugin tables, is also readable.
Limited denial-of-service impact allows an attacker to degrade or disrupt availability of the appointment scheduling service through malformed query execution.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical (CVSS 9.3) SQL injection is active for any scanned image that includes the Simply Schedule Appointments plugin at a vulnerable version. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will surface a patched-image rebuild automatically once NSquared ships a remediated version. While awaiting a fix, customers can use HarborGuard's network-policy isolation capability to restrict inbound HTTP access to affected WordPress workloads, reducing the attack surface without requiring a code change. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered immediately upon fix availability, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

NSquared / Simply Schedule Appointments
≤ 1.6.9.27

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified