CVE-2026-7797: WordPress Simply Schedule Appointments Plugin Time-Based Blind SQL Injection

CVE-2026-7797 affects the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, specifically versions up to and including 1.6.11.8. The vulnerability is a time-based blind SQL Injection flaw stemming from insufficient escaping of the ‘append_where_sql’ parameter and inadequate preparation of the existing SQL query. The vulnerable /appointments/bulk REST endpoint can be reached by unauthenticated attackers due to a publicly accessible nonce (ssa.api.public_nonce) embedded in the booking widget’s frontend JavaScript. Successful exploitation requires issuing a PUT request with an application/x-www-form-urlencoded body to bypass a blocklist check, making this vulnerability a significant threat to WordPress sites using the affected plugin.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of the Simply Schedule Appointments Booking Plugin.
2. The attacker retrieves the public nonce (ssa.api.public_nonce) from the booking widget’s frontend JavaScript source code.
3. The attacker crafts a malicious PUT request to the /appointments/bulk REST endpoint.
4. The request includes the ‘append_where_sql’ parameter containing a time-based blind SQL injection payload.
5. The request body is formatted as application/x-www-form-urlencoded to avoid populating PHP’s superglobals and bypass the blocklist check.
6. The server executes the injected SQL query against the database.
7. The attacker analyzes the response time to infer the results of the injected SQL query (time-based blind SQL injection).
8. The attacker iteratively refines the SQL injection payload to extract sensitive information from the database, such as user credentials or other confidential data.

Impact

Successful exploitation of CVE-2026-7797 allows unauthenticated attackers to perform time-based blind SQL injection, potentially leading to the extraction of sensitive information from the WordPress database. This could include user credentials, customer data, or other confidential information stored within the database. The impact can range from data breaches to complete compromise of the WordPress site, depending on the scope and sensitivity of the data accessed.

Recommendation

• Upgrade the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin to a version greater than 1.6.11.8 to patch CVE-2026-7797.
• Deploy the Sigma rule Detect CVE-2026-7797 Exploitation Attempt — WordPress Simply Schedule Appointments SQLi to detect malicious PUT requests to the /appointments/bulk endpoint.
• Monitor web server logs for PUT requests to the /appointments/bulk endpoint with suspicious append_where_sql parameters, looking for SQL injection attempts.