A Missing Authorization vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress allows unauthenticated attackers to modify arbitrary appointment records and expose customer PII via the bulk appointments REST API endpoint. The vulnerability exists because the plugin fails to properly verify user authorization, and relies on a static, user-independent nonce value that is exposed in th [truncated]
A time-based blind SQL injection vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The flaw resides in the 'append_where_sql' parameter, which lacks proper escaping and query preparation. Unauthenticated attackers can exploit this via the /appointments/bulk REST endpoint by using a publicly visible nonce embedded in the booking widget's frontend JavaScript. The attack [truncated]
A denial-of-service vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes a REST API endpoint at `/wp-json/ssa/v1/async` that accepts a user-supplied delay parameter and passes it directly to PHP's `sleep()` function without rate limiting or authentication requirements. Unauthenticated attackers can exploit this to hold PHP worker processes open for exte [truncated]