Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27.
AnalysisAI
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).
Technical ContextAI
CWE-89 blind SQL injection enabling boolean-based or time-based inference attacks against database queries. CVSS vector PR:L indicates authenticated context; scope change (S:C) suggests attacker can access resources beyond plugin's authorization boundary. Affected CPE: cpe:2.3:a:nsquared:simply_schedule_appointments, confirming WordPress plugin vulnerability in appointment scheduling functionality where SQL queries improperly handle attacker-supplied parameters.
RemediationAI
No vendor-released patch identified at time of analysis. Upstream fix available per Patchstack advisory; released patched version not independently confirmed. Until patched version is released: (1) audit WordPress user permissions to restrict low-privilege authenticated access where feasible, (2) implement Web Application Firewall rules blocking SQL injection patterns in plugin parameters, (3) monitor database query logs for anomalous time-delay patterns indicative of blind SQLi exploitation. Consider temporarily deactivating Simply Schedule Appointments if appointment scheduling functionality is non-critical to operations. Consult Patchstack advisory for technical details: https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-27-sql-injection-vulnerability and official NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-39495
More in Simply Schedule Appointments
View allThe Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu
Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm
Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2
Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1
Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20160
GHSA-w79w-69fh-fq49