PatchSiren

croixhaug CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM croixhaug CVE published 2026-05-28

CVE-2026-6937

A Missing Authorization vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress allows unauthenticated attackers to modify arbitrary appointment records and expose customer PII via the bulk appointments REST API endpoint. The vulnerability exists because the plugin fails to properly verify user authorization, and relies on a static, user-independent nonce value that is exposed in th [truncated]

HIGH croixhaug CVE published 2026-05-28

CVE-2026-7797

A time-based blind SQL injection vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The flaw resides in the 'append_where_sql' parameter, which lacks proper escaping and query preparation. Unauthenticated attackers can exploit this via the /appointments/bulk REST endpoint by using a publicly visible nonce embedded in the booking widget's frontend JavaScript. The attack [truncated]

MEDIUM croixhaug CVE published 2026-05-27

CVE-2026-7493

A denial-of-service vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes a REST API endpoint at `/wp-json/ssa/v1/async` that accepts a user-supplied delay parameter and passes it directly to PHP's `sleep()` function without rate limiting or authentication requirements. Unauthenticated attackers can exploit this to hold PHP worker processes open for exte [truncated]