CVE-2026-1708

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin versions prior to 1.6.9.28

Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is susceptible to a blind SQL Injection issue. This occurs because the db where conditions method within the TD DB Model class does not adequately prevent the append where sql parameter from being included in JSON request bodies, while only verifying its presence in the $ REQUEST superglobal. This allows unauthenticated attackers to append arbitrary SQL commands to queries and potentially extract sensitive information from the database. Exploitation requires obtaining a valid public token that may be exposed during the booking process. The vulnerable parameter is append where sql and is present in JSON payloads.

Recommendations Update to version 1.6.9.28 or later.