Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3
Critical0
High2
Medium1
Reset
Showing 1-3 of 3 records
Threat Entry Updated 2026-03-16

CVE-2026-1704 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the…

PLUGIN Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

CVE-2026-1704

MEDIUM CVSS 4.3 2026-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-03-11

CVE-2026-1708 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted…

PLUGIN Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

CVE-2026-1708

HIGH CVSS 7.5 2026-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2025-1119 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

CVE-2025-1119

HIGH CVSS 7.3 2025-03-13
Open Full Technical Breakdown
Scroll to top