CVE-2026-7797: WordPress Simply Schedule Plugin SQLi Flaw

CVE-2026-7797 is a time-based blind SQL injection vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress that allows unauthenticated attackers to extract database information. This article covers technical details, affected versions, exploitation risks, and mitigation strategies.

CVE-2026-7797 Overview

CVE-2026-7797 is a time-based blind SQL injection vulnerability in the Simply Schedule Appointments WordPress plugin. The flaw affects all versions up to and including 1.6.11.8. Unauthenticated attackers can append arbitrary SQL through the append_where_sql parameter on the /appointments/bulk REST endpoint. The endpoint is reachable without authentication because its permission check accepts a public nonce embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce). This nonce is visible to every site visitor. The vulnerability is tracked under [CWE-89] SQL Injection.

Critical Impact
Unauthenticated remote attackers can extract sensitive database contents, including user credentials and session data, from any WordPress site running an affected version of the plugin.

Affected Products

Simply Schedule Appointments Booking Plugin for WordPress — all versions ≤ 1.6.11.8
Fixed in version 1.6.11.9 (per the WordPress changeset)
Vulnerable code paths in class-td-api-model.php and class-td-db-model.php

Discovery Timeline

2026-05-28 - CVE-2026-7797 published to NVD
2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-7797

Vulnerability Analysis

The Simply Schedule Appointments plugin exposes a /appointments/bulk REST route that processes a user-supplied append_where_sql parameter. The plugin concatenates this parameter directly into a SQL query without escaping or using wpdb::prepare() placeholders. The vulnerable handlers live in class-td-api-model.php around lines 304 and 361, and in class-td-db-model.php around line 1049. Because the injected SQL is appended to an existing query and the response is the same regardless of the boolean outcome, exploitation uses time-based blind techniques such as SLEEP() or BENCHMARK() to exfiltrate database content one bit at a time.

Root Cause

The root cause is twofold. First, the plugin trusts a parameter named append_where_sql and embeds it directly into a WHERE clause without sanitization or parameterization. Second, the REST endpoint's permission callback authorizes any request that presents the public nonce ssa.api.public_nonce, which the plugin renders into frontend JavaScript for the public booking widget. Any anonymous visitor can read this nonce from the HTML source and replay it.

Attack Vector

Exploitation requires issuing a PUT request with an application/x-www-form-urlencoded body to the /appointments/bulk endpoint. PHP does not populate the $_POST superglobal for PUT requests, which causes the plugin's blocklist of dangerous SQL tokens to silently pass without inspecting the payload. The attacker supplies a public nonce harvested from the site's frontend and an append_where_sql value containing a time-delay SQL payload. Measuring server response time confirms data extraction over successive iterations. Refer to the Wordfence Vulnerability Analysis and the WordPress Changeset Review for the corrected logic.

Detection Methods for CVE-2026-7797

Indicators of Compromise

HTTP PUT requests to /wp-json/ssa/v1/appointments/bulk or similar Simply Schedule Appointments REST routes from unauthenticated clients.
Request bodies containing the parameter name append_where_sql with SQL keywords such as SLEEP, BENCHMARK, IF, SELECT, or UNION.
Anomalous response latency on the /appointments/bulk endpoint, indicating successful time-based blind injection.
Repeated requests reusing the same ssa.api.public_nonce value over short intervals.

Detection Strategies

Inspect web server and WAF logs for PUT requests carrying application/x-www-form-urlencoded bodies to plugin REST routes, which is atypical traffic.
Alert on request bodies containing append_where_sql= combined with SQL functions or comment delimiters.
Correlate slow database queries from wpdb with concurrent inbound requests to the appointments endpoint.

Monitoring Recommendations

Enable MySQL slow query logging and review queries originating from the plugin's database model classes.
Forward WordPress access logs and PHP error logs to a centralized log analytics platform for query and pattern review.
Monitor for outbound data spikes following inbound requests to /appointments/bulk, suggesting bulk extraction.

How to Mitigate CVE-2026-7797

Immediate Actions Required

Update the Simply Schedule Appointments plugin to version 1.6.11.9 or later on every WordPress instance.
Audit access logs for any historical PUT requests to /appointments/bulk and investigate suspicious activity.
Rotate WordPress administrator passwords and any secrets stored in wp_options if exploitation is suspected.

Patch Information

The vendor released a fix in version 1.6.11.9. The patch parameterizes the affected query in class-td-db-model.php and tightens permission handling on the bulk endpoint. Patch details are visible in the WordPress Changeset Review.

Workarounds

Disable or remove the Simply Schedule Appointments plugin until the patched version can be installed.
Deploy a Web Application Firewall (WAF) rule blocking PUT requests to /wp-json/ssa/* routes that contain the append_where_sql parameter.
Restrict access to the REST API for unauthenticated users at the reverse proxy layer where booking functionality is not required publicly.

bash

# Example WAF rule snippet (ModSecurity-style) to block exploitation attempts
SecRule REQUEST_METHOD "@streq PUT" \
  "chain,phase:2,deny,status:403,id:1026797,msg:'CVE-2026-7797 SSA SQLi block'"
  SecRule REQUEST_URI "@contains /wp-json/ssa/" "chain"
  SecRule REQUEST_BODY "@rx append_where_sql=" "t:lowercase"