What the vulnerability does
01Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
Explanation of Vulnerability in Simple Terms
02Summary
The Appointment Booking Calendar plugin contains a SQL injection vulnerability in versions up to 1.6.9.27. An attacker can query or modify the site's database without authentication by sending a crafted request. This allows reading sensitive data like user credentials and appointment information, or altering database records. Update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Read or modify the site's database without logging in.
Potential impact on your site
04Site Impact
Attackers can steal user data, appointment records, and credentials, or corrupt the database.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 11, 2026
CVE published
April 8, 2026
Record updated
