PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7493 croixhaug CVE debrief

A denial-of-service vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes a REST API endpoint at `/wp-json/ssa/v1/async` that accepts a user-supplied delay parameter and passes it directly to PHP's `sleep()` function without rate limiting or authentication requirements. Unauthenticated attackers can exploit this to hold PHP worker processes open for extended periods, exhausting available workers and denying service to legitimate site visitors. The vulnerability affects all versions up to and including 1.6.11.5. The issue was disclosed on 2026-05-27 with a CVSS 3.1 score of 5.3 (Medium severity).

Vendor
croixhaug
Product
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using Simply Schedule Appointments plugin; hosting providers managing shared WordPress environments; security teams monitoring plugin vulnerabilities affecting availability.

Technical summary

The Simply Schedule Appointments plugin registers a REST API endpoint `/wp-json/ssa/v1/async` that processes asynchronous actions. The endpoint accepts a `delay` parameter that is passed unvalidated to PHP's native `sleep()` function. Because the endpoint requires no authentication and implements no rate limiting, attackers can issue multiple concurrent requests with large delay values (e.g., 30-300 seconds). Each request occupies a PHP worker process for the specified duration. Sufficient concurrent requests exhaust the PHP-FPM or mod_php worker pool, causing subsequent legitimate requests to queue or fail. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption).

Defensive priority

medium

Recommended defensive actions

  • Update Simply Schedule Appointments plugin to version 1.6.11.6 or later when available
  • Implement Web Application Firewall rules to rate-limit or block requests to `/wp-json/ssa/v1/async`
  • Consider disabling the plugin temporarily if updates are not immediately available and the REST endpoint is not required for operations
  • Monitor PHP-FPM or web server worker process utilization for anomalous spikes
  • Review access logs for repeated requests to the affected endpoint with large delay parameters

Evidence notes

Vulnerability confirmed via Wordfence security advisory and plugin source code review showing unauthenticated REST endpoint accepting arbitrary sleep duration.

Official resources

2026-05-27