CVE-2026-7493 MEDIUM

CVE-2026-7493: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service

Vendor Croixhaug
Product Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Weakness CWE-400
Published May 27, 2026
Last update May 27, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.

Explanation of Vulnerability in Simple Terms

02Summary

The Simply Schedule Appointments Booking Plugin for WordPress versions 1.6.11.5 and earlier contains an uncontrolled resource consumption vulnerability. An attacker can send repeated requests to the plugin without authentication, consuming server resources and potentially causing the site to become slow or unresponsive. No user interaction or special privileges are required to exploit this issue.

What an attacker can do

03Attacker Capabilities

Send repeated requests to exhaust server resources and degrade site performance.

Potential impact on your site

04Site Impact

Your site may become slow or temporarily unavailable if an attacker sends a high volume of requests.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated