PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39493 NSquared CVE debrief

A critical vulnerability was discovered in the Simply Schedule Appointments plugin, affecting versions up to and including 1.6.9.27. This vulnerability, tracked as CVE-2026-39493, is an unauthenticated SQL injection issue with a CVSS score of 9.3, indicating a high severity level. The vulnerability allows attackers to inject malicious SQL code without requiring authentication, potentially leading to unauthorized access, data breaches, or other malicious activities.

Vendor
NSquared
Product
Simply Schedule Appointments
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-15
Original CVE updated
2026-06-15
Advisory published
2026-06-15
Advisory updated
2026-06-15

Who should care

Administrators and users of the Simply Schedule Appointments plugin, especially those using versions <= 1.6.9.27, should be aware of this vulnerability and take immediate action to mitigate the risk.

Technical summary

CVE-2026-39493 is classified under CWE-89, indicating an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, which means the vulnerability can be exploited over the network (AV:N), requires low attack complexity (AC:L), does not require any privileges (PR:N), and has a high impact on confidentiality (C:H).

Defensive priority

High

Recommended defensive actions

  • Update the Simply Schedule Appointments plugin to a version that fixes this vulnerability.
  • Review and monitor database activity for suspicious queries that could indicate exploitation attempts.

Evidence notes

Evidence for this CVE comes from Patchstack, as indicated by the resource link [ref-4](https://patchstack.com/database/wordpress/plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-27-sql-injection-vulnerability-2?_s_id=cve).

Official resources

CVE-2026-39493 was published on 2026-06-15T21:16:44.983Z and modified on 2026-06-15T21:24:32.790Z.