What the vulnerability does
01Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.
Explanation of Vulnerability in Simple Terms
02Summary
The Simply Schedule Appointments Booking Plugin for WordPress versions 1.6.11.5 and earlier contains an uncontrolled resource consumption vulnerability. An attacker can send repeated requests to the plugin without authentication, consuming server resources and potentially causing the site to become slow or unresponsive. No user interaction or special privileges are required to exploit this issue.
What an attacker can do
03Attacker Capabilities
Send repeated requests to exhaust server resources and degrade site performance.
Potential impact on your site
04Site Impact
Your site may become slow or temporarily unavailable if an attacker sends a high volume of requests.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 27, 2026
CVE published
May 27, 2026
Record updated