WordPress Appointment Booking Calendar plugin <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter vulnerability

Unauthenticated SQL Injection via 'appendwheresql' Parameter vulnerability discovered by d.v4ns3c in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.27...

CVE-2026-1708 Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the dbwhereconditions method in the TDDBModel class failing to prevent the appendwheresql paramet...

WordPress Simply Schedule Appointments plugin <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters vulnerability

Unauthenticated SQL Injection via order and appendwheresql Parameters vulnerability discovered by shark3y in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.9...

CVE-2025-12166 Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the order and appendwheresql parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack o...

CVE-2025-12166

CVE-2025-12166 refers to blind SQL Injection in the WordPress plugin Booking Calendar — Simply Schedule Appointments (versions up to 1.6.9.9). The issue arises from insufficient escaping of user-supplied input in the order/append_where_sql parameters, enabling unauthenticated queries that could e...