Skip to main content

Simply Schedule Appointments CVE-2026-39495

| EUVDEUVD-2026-20160 HIGH
SQL Injection (CWE-89)
2026-04-08 Patchstack GHSA-w79w-69fh-fq49
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20160
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27.

AnalysisAI

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).

Technical ContextAI

CWE-89 blind SQL injection enabling boolean-based or time-based inference attacks against database queries. CVSS vector PR:L indicates authenticated context; scope change (S:C) suggests attacker can access resources beyond plugin's authorization boundary. Affected CPE: cpe:2.3:a:nsquared:simply_schedule_appointments, confirming WordPress plugin vulnerability in appointment scheduling functionality where SQL queries improperly handle attacker-supplied parameters.

RemediationAI

No vendor-released patch identified at time of analysis. Upstream fix available per Patchstack advisory; released patched version not independently confirmed. Until patched version is released: (1) audit WordPress user permissions to restrict low-privilege authenticated access where feasible, (2) implement Web Application Firewall rules blocking SQL injection patterns in plugin parameters, (3) monitor database query logs for anomalous time-delay patterns indicative of blind SQLi exploitation. Consider temporarily deactivating Simply Schedule Appointments if appointment scheduling functionality is non-critical to operations. Consult Patchstack advisory for technical details: https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-27-sql-injection-vulnerability and official NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-39495

CVE-2024-7129 HIGH POC
7.2 Sep 13

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu

CVE-2026-39493 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a

CVE-2022-2373 MEDIUM POC
5.3 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u

CVE-2024-2341 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-2342 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-7877 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2024-7876 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2022-2374 MEDIUM POC
4.8 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic

CVE-2023-50851 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm

CVE-2026-42384 HIGH
7.5 Jun 15

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2

CVE-2026-39447 HIGH
7.1 Jun 15

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1

CVE-2026-59523 MEDIUM
6.5 Jul 13

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un

Share

CVE-2026-39495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy