PT-2026-43478 · WordPress · Appointment Booking Calendar

Lucky_Buddy

·

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-7493

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin versions prior to 1.6.11.6
Description The plugin for WordPress is susceptible to a denial of service. An unauthenticated attacker can exhaust PHP worker processes, preventing legitimate users from accessing the site. This occurs because the REST API endpoint "/wp-json/ssa/v1/async" invokes the PHP sleep() function using a user-supplied delay parameter without implementing rate limiting.
Recommendations Update to a version later than 1.6.11.5. As a temporary workaround, restrict access to the "/wp-json/ssa/v1/async" endpoint to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7493

Affected Products

Appointment Booking Calendar