{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39495", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:43.843Z", "datePublished": "2026-04-08T08:30:12.091Z", "dateUpdated": "2026-04-08T08:30:12.091Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simply-schedule-appointments", "product": "Simply Schedule Appointments", "vendor": "NSquared", "versions": [{"changes": [{"at": "1.6.9.29", "status": "unaffected"}], "lessThanOrEqual": "1.6.9.27", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:58.943Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.<p>This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:12.091Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-27-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27."}], "id": "CVE-2026-39495", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:23.800", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-27-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6.9.27]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Simply Schedule Appointments", "source": "cna", "vendor": "NSquared"}, "product": "simply_schedule_appointments", "vendor": "nsquared"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:23:55.821440+00:00", "value": {"mitigation_remediation": ["Upgrade Simply Schedule Appointments to the latest available release that fixes the SQL injection flaw.", "If an upgrade cannot be performed immediately, block or restrict unauthenticated access to the plugin\u2019s HTTP endpoints using web\u2011application firewall rules or role\u2011based access controls.", "Disable or remove the plugin if it is not required for site functionality.", "Monitor the server for unusual database activity or failed login attempts following the upgrade."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WordPress Simply Schedule Appointments plugin released by NSquared, affecting all installations using version 1.6.9.27 or earlier. Sites running WordPress with this plugin at the stated versions are at risk.", "description_and_impact": "Improper neutralization of special elements in an SQL command within the NSquared Simply Schedule Appointments plugin allows a blind SQL injection. An attacker who can craft input into the plugin\u2019s SQL queries can read or modify data stored in the WordPress database, potentially exposing sensitive information such as user credentials or business data. The weakness is classified as CWE\u201189, indicating a classic SQL injection flaw that threatens confidentiality and integrity.", "risk_and_exploitability": "The CVSS score and exploit probability are not provided, and the vulnerability is not listed in the CISA KEV catalog, but the capability to perform blind SQL injection from external input implies a serious risk. The likely attack vector is through HTTP requests to the plugin\u2019s endpoints, where unsanitized user data is processed without adequate validation. Because the flaw does not require authentication in the description, unprivileged users could potentially exploit it, raising the exposure to a broad audience."}}}}, "created": "2026-04-08T19:30:39.079620+00:00", "updated": "2026-04-08T19:43:09.185315+00:00", "vendors": ["nsquared", "nsquared$PRODUCT$simply_schedule_appointments", "wordpress", "wordpress$PRODUCT$wordpress"]}