CVE-2026-7797 croixhaug CVE debrief

Who should care

WordPress site administrators using Simply Schedule Appointments plugin, security operations teams monitoring WordPress installations, and web application firewall administrators responsible for protecting WordPress environments

Technical summary

The vulnerability stems from insufficient input sanitization in the append_where_sql parameter within the plugin's REST API implementation. The /appointments/bulk endpoint incorrectly validates permissions using a public nonce (ssa.api.public_nonce) exposed in frontend JavaScript, allowing unauthenticated access. The SQL injection is time-based blind, requiring boolean or time-delay techniques for data extraction. A critical bypass mechanism involves using PUT requests with application/x-www-form-urlencoded bodies, which prevents PHP from populating superglobals and causes the blocklist check to fail silently. The affected files include class-td-api-model.php and class-td-db-model.php in the td-util library component.

Defensive priority

HIGH

Recommended defensive actions

• Update Simply Schedule Appointments plugin to version 1.6.11.9 or later
• Implement Web Application Firewall rules to detect and block SQL injection attempts targeting the /appointments/bulk endpoint
• Review access logs for PUT requests to /appointments/bulk with application/x-www-form-urlencoded content type and unusual append_where_sql parameters
• Consider temporarily disabling the booking widget public nonce mechanism if immediate patching is not feasible
• Audit database query logs for anomalous SELECT statements that may indicate successful exploitation

Evidence notes

Vulnerability confirmed in versions up to and including 1.6.11.8. The Wordfence advisory and WordPress plugin repository source code references identify the vulnerable code paths in class-td-api-model.php and class-td-db-model.php. A patch was committed in version 1.6.11.9 as evidenced by the changeset reference.

Official resources