Appointment Booking Calendar Plugin Allows Attackers to Steal Sensitive Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Appointment Booking Calendar Plugin Allows Attackers to Steal Sensitive Data

CVE-2026-1708

Summary

The Appointment Booking Calendar Plugin for WordPress is vulnerable to a serious security flaw that allows attackers to extract sensitive information from the database. This means that if an attacker has access to a valid public token, they can use it to steal sensitive data. To fix this, update the plugin to version 1.6.9.28 or later, or remove and replace the plugin if it's not essential to your website.

Original title

Original description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.

nvd CVSS3.1 7.5

Vulnerability type

CWE-89 SQL Injection

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026