HarborGuard / CVE
Back to search
HIGHCVE-2026-7797Published Modified CNA Wordfence

CVE-2026-7797: Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Time-based blind SQL injection in the Appointment Booking Calendar plugin for WordPress (Simply Schedule Appointments, versions up to and including 1.6.11.8) is reachable over the network without any authentication. An attacker crafts a PUT request to the /appointments/bulk REST endpoint, injecting additional SQL into the append_where_sql parameter; the plugin fails to escape or properly prepare the query, allowing the injected fragment to execute. Successful exploitation lets the attacker extract arbitrary data from the WordPress database, including user credentials, session tokens, and any other stored records. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream maintainer publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-7797 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Wordfence advisory stream, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying the affected plugin version (1.6.11.8 or earlier) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each customer organization's compliance policy to determine urgency and routing. Triage findings are delivered to the team inbox configured for the affected workload inside each customer org.

Available
Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the Wordfence advisory and upstream plugin repository on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once that fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable REST endpoint is exposed over the network; an attacker must be able to send HTTP PUT requests to the target WordPress site to exploit this issue.

  • AuthenticationNot required

    No account or login is needed; the endpoint accepts a public nonce embedded in the booking widget's frontend JavaScript and visible to any site visitor.

  • Victim interactionNot required

    The attacker sends requests directly to the server; no user needs to click a link or take any action for exploitation to succeed.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: the attacker issues a PUT request with a form-encoded body, bypassing the blocklist check, with no race conditions or environmental dependencies required.

Blast Radius

  • Reads arbitrary rows from the WordPress database, including hashed passwords and email addresses for all registered users.
  • Extracts stored session tokens or authentication secrets, enabling account takeover without needing to crack password hashes.
  • Retrieves appointment records and any personally identifiable information submitted through the booking form.
  • Accesses WordPress site configuration values and any secrets stored in the options table, such as API keys or payment credentials.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all customer images that include the Simply Schedule Appointments plugin at version 1.6.11.8 or earlier. Because no upstream patch exists yet, HarborGuard monitors the Wordfence advisory and the plugin's release channel on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that rebuild is followed immediately by a regression test run and a PR opened against affected workloads. In the meantime, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to the /appointments/bulk REST endpoint, egress filtering to limit lateral data movement if the host is compromised, and temporarily disabling the bulk endpoint via a feature flag or WAF rule if the booking workflow permits it. Where compliance policy permits, HarborGuard can route a triage ticket to the team responsible for the affected workload so a manual mitigation decision can be made without waiting for an automated rebuild.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • croixhaug / Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
    ≤ 1.6.11.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References