MEDIUM
croixhaug
CVE published 2026-05-27
CVE-2026-7493
A denial-of-service vulnerability exists in the Simply Schedule Appointments Booking Plugin for WordPress. The plugin exposes a REST API endpoint at `/wp-json/ssa/v1/async` that accepts a user-supplied delay parameter and passes it directly to PHP's `sleep()` function without rate limiting or authentication requirements. Unauthenticated attackers can exploit this to hold PHP worker processes open for exte [truncated]