Skip to main content

Simply Schedule Appointments

17 CVEs product

Monthly

CVE-2026-59523 MEDIUM This Month

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57812 MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-42384 HIGH PATCH This Week

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Simply Schedule Appointments
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39493 CRITICAL Act Now

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote attackers to inject crafted SQL through plugin endpoints without authentication. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the vulnerable component, though only confidentiality (High) and availability (Low) are affected per the vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39447 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Simply Schedule Appointments
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39694 MEDIUM This Month

Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39495 HIGH This Week

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-7877 MEDIUM POC This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simply Schedule Appointments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-7876 MEDIUM POC This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simply Schedule Appointments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-7129 HIGH POC This Week

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress Simply Schedule Appointments
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2024-4288 MEDIUM PATCH This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simply Schedule Appointments
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-2342 HIGH PATCH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the customer_id parameter in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Simply Schedule Appointments
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-2341 HIGH PATCH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the keys parameter in all versions up to, and including, 1.6.7.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Simply Schedule Appointments
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-1760 MEDIUM PATCH This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Simply Schedule Appointments
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-50851 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin.6.6.1. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2022-2374 MEDIUM POC This Month

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simply Schedule Appointments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-2373 MEDIUM POC This Month

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Simply Schedule Appointments
NVD WPScan
CVSS 3.1
5.3
EPSS
1.4%
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Simply Schedule Appointments
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote attackers to inject crafted SQL through plugin endpoints without authentication. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the vulnerable component, though only confidentiality (High) and availability (Low) are affected per the vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Simply Schedule Appointments
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Simply Schedule Appointments
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).

SQLi Simply Schedule Appointments
NVD
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simply Schedule Appointments
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simply Schedule Appointments
NVD WPScan
EPSS 1% CVSS 7.2
HIGH POC This Week

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress Simply Schedule Appointments
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simply Schedule Appointments
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the customer_id parameter in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Simply Schedule Appointments
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the keys parameter in all versions up to, and including, 1.6.7.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Simply Schedule Appointments
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Simply Schedule Appointments
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin.6.6.1. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Simply Schedule Appointments
NVD
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simply Schedule Appointments
NVD WPScan
EPSS 1% CVSS 5.3
MEDIUM POC This Month

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Simply Schedule Appointments
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy