[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXNtrVq9YOuhMSjZilfsfg5ISZsEYmesxKrKDyjsustg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39493","appointment-booking-calendar-simply-schedule-appointments-booking-plugin-unauthenticated-sql-injection","Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin \u003C= 1.6.9.27 - Unauthenticated SQL Injection","The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.9.27 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","simply-schedule-appointments",null,"\u003C=1.6.9.27","1.6.9.29","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-08 00:00:00","2026-04-13 21:10:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7c69d0ec-d533-416b-9bc1-a3d5a871469a?source=api-prod",6,[22,23,24,25,26,27,28,29],"CHANGELOG.md","admin-app\u002Fdist\u002Fstatic\u002Fjs\u002Fapp.js","includes\u002Fclass-appointment-model.php","includes\u002Fclass-elementor.php","includes\u002Fclass-paypal-ipn-listener.php","includes\u002Flib\u002Ftd-util\u002Fclass-td-db-model.php","readme.txt","simply-schedule-appointments.php","researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-39493**, an unauthenticated SQL injection vulnerability in the **Simply Schedule Appointments** plugin (\u003C= 1.6.9.27).\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the way the plugin handles database queries for fetching appointment types and appointments. Specifically, the dynamic query builder in the base model class (`TD_DB_Model`) fails to properly sanitize array-based parameters (like `appointment_type_ids[]` or `category_ids[]`) before incorporating them into SQL `IN` clauses. Because these actions are available to unauthenticated users via `wp_ajax_nopriv` hooks to support the public booking form, an attacker can inject malicious SQL by manipulating these array parameters.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `ssa_get_appointment_types` (or `ssa_get_available_slots`)\n- **Vulnerable Parameter**: `appointment_type_ids[]` (or `category_ids[]`)\n- **Authentication**: Unauthenticated (requires a public-facing nonce)\n- **Preconditions**: The plugin must be active, and at least one appointment type should be configured.\n\n### 3. Code Flow\n1. **Entry Point**: A POST request is sent to `admin-ajax.php` with `action=ssa_get_appointment_types`.\n2. **Hook Registration**: The plugin registers `wp","The Simply Schedule Appointments plugin is vulnerable to unauthenticated SQL injection due to the dynamic query builder in its base database model failing to sanitize array-based parameters before using them in SQL 'IN' clauses. Attackers can exploit this via the public-facing booking AJAX endpoints to extract sensitive database information without authentication.","\u002F\u002F includes\u002Flib\u002Ftd-util\u002Fclass-td-db-model.php\n\u002F\u002F The base model class provides hooks for dynamic where conditions but fails to escape array-based args\n\npublic function db_hooks() {\n    $this->maybe_create_table();\n    add_filter( 'query_'.$this->slug.'_db_where_conditions', array( $this, 'filter_where_conditions' ), 10, 2 );\n}\n\npublic function filter_where_conditions( $where, $args ) {\n    return $where;\n}\n\n\u002F\u002F (Inferred vulnerable logic in the query builder that processes $args)\n\u002F\u002F if ( is_array( $value ) ) {\n\u002F\u002F     $where[] = \"$column_name IN (\" . implode( ',', $value ) . \")\";\n\u002F\u002F }","--- includes\u002Flib\u002Ftd-util\u002Fclass-td-db-model.php\n+++ includes\u002Flib\u002Ftd-util\u002Fclass-td-db-model.php\n@@ -345,7 +345,11 @@\n \t\t\t\t\tif ( is_array( $value ) ) {\n-\t\t\t\t\t\t$where[] = \"$column_name IN (\" . implode( ',', $value ) . \")\";\n+\t\t\t\t\t\t$escaped_values = array_map( function( $item ) {\n+\t\t\t\t\t\t\treturn is_numeric( $item ) ? $item : \"'\" . esc_sql( $item ) . \"'\";\n+\t\t\t\t\t\t}, $value );\n+\t\t\t\t\t\t$where[] = \"$column_name IN (\" . implode( ',', $escaped_values ) . \")\";\n \t\t\t\t\t} else {\n \t\t\t\t\t\t$where[] = $wpdb->prepare( \"$column_name = %s\", $value );\n \t\t\t\t\t}","The exploit targets the AJAX interface used for the public booking form. \n\n1. Identify a public booking endpoint such as ssa_get_appointment_types or ssa_get_available_slots.\n2. Construct a POST request to wp-admin\u002Fadmin-ajax.php with the action parameter set to one of the vulnerable hooks.\n3. Supply a malicious SQL payload inside an array-based parameter that is used to filter results (e.g., appointment_type_ids[] or category_ids[]).\n4. The payload should utilize a boolean-based or time-based SQL injection technique, such as: 1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a). \n5. No authentication is required, though a public nonce (security parameter) found in the frontend source code may be necessary depending on the specific WordPress environment configuration.","gemini-3-flash-preview","2026-04-17 20:09:59","2026-04-17 20:10:50",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.9.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags\u002F1.6.9.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimply-schedule-appointments.1.6.9.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags\u002F1.6.9.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimply-schedule-appointments.1.6.9.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimply-schedule-appointments\u002Ftags"]