Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Information

Software Type Plugin
Software Slug simply-schedule-appointments (view on wordpress.org)
Software Status Active
Software Author croixhaug
Software Website simplyscheduleappointments.com
Software Downloads 3,765,116
Software Active Installs 60,000
Software Record Last Updated June 18, 2026

Showing 1-20 of 31 Vulnerabilities

Submit a Vulnerability
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.6 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2026-39447
May 28, 2026
Researcher: devploit
Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint
5.3
CVE-2026-6937
May 27, 2026
Researcher: winrace
Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
7.5
CVE-2026-7797
May 27, 2026
Researcher: daroo
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service
5.3
CVE-2026-7493
May 26, 2026
Researcher: lucky_buddy
Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion
6.5
CVE-2026-4807
May 6, 2026
Researcher: Athiwat Tiprasaharn (Jitlada)
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 - Unauthenticated Sensitive Information Exposure
5.3
CVE-2026-42384
Apr 27, 2026
Researcher: Jakub Herman
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection
7.5
CVE-2026-39493
Apr 8, 2026
Researcher: Doan Dinh Van (DinhVan52)
Simply Schedule Appointments <= 1.6.9.27 - Authenticated (Contributor+) SQL Injection
6.5
CVE-2026-39495
Mar 26, 2026
Researcher: daroo
Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter
7.5
CVE-2026-3658
Mar 18, 2026
Researcher: momopon1415
Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint
7.5
CVE-2026-3045
Mar 12, 2026
Researcher: Muhammad Sharief
Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure
4.3
CVE-2026-1704
Mar 12, 2026
Researcher: Itthidej Aramsri (Boeing777)
Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
7.5
CVE-2026-1708
Mar 10, 2026
Researcher: d.v4n_s3c
Simply Schedule Appointments <= 1.6.11.0 - Missing Authorization
5.3
CVE-2026-39694
Feb 26, 2026
Researcher: hhhai
Simply Schedule Appointments <= 1.6.9.15 - Missing Authorization
5.3
CVE-2025-69315
Jan 20, 2026
Researcher: benzdeus
Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters
7.5
CVE-2025-12166
Jan 14, 2026
Researcher: shark3y
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure
6.5
CVE-2025-11723
Jan 5, 2026
Researcher: Lucas Montes (NiRoX)
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure
5.3
CVE-2025-13754
Dec 18, 2025
Researcher: Marcin Dudek (dudekmar)
Simply Schedule Appointments <= 1.6.8.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
6.4
CVE-2025-4667
Jun 13, 2025
Researcher: Muhammad Yudha - DJ
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.5 - Unauthenticated Arbitrary Shortcode Execution
7.3
CVE-2025-1119
Mar 12, 2025
Researcher: Luciano Hanna
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.3 - Reflected Cross-Site Scripting
6.1
CVE-2024-13431
Mar 6, 2025
Researcher: Luciano Hanna
Title Status CVE ID CVSS Researchers Date
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.6 - Unauthenticated Stored Cross-Site Scripting Patched CVE-2026-39447 7.2 devploit May 28, 2026
Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint Patched CVE-2026-6937 5.3 winrace May 27, 2026
Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter Patched CVE-2026-7797 7.5 daroo May 27, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service Patched CVE-2026-7493 5.3 lucky_buddy May 26, 2026
Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion Patched CVE-2026-4807 6.5 Athiwat Tiprasaharn (Jitlada) May 6, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.11.2 - Unauthenticated Sensitive Information Exposure Patched CVE-2026-42384 5.3 Jakub Herman April 27, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection Patched CVE-2026-39493 7.5 Doan Dinh Van (DinhVan52) April 8, 2026
Simply Schedule Appointments <= 1.6.9.27 - Authenticated (Contributor+) SQL Injection Patched CVE-2026-39495 6.5 daroo March 26, 2026
Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter Patched CVE-2026-3658 7.5 momopon1415 March 18, 2026
Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint Patched CVE-2026-3045 7.5 Muhammad Sharief March 12, 2026
Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure Patched CVE-2026-1704 4.3 Itthidej Aramsri (Boeing777) March 12, 2026
Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter Patched CVE-2026-1708 7.5 d.v4n_s3c March 10, 2026
Simply Schedule Appointments <= 1.6.11.0 - Missing Authorization Patched CVE-2026-39694 5.3 hhhai February 26, 2026
Simply Schedule Appointments <= 1.6.9.15 - Missing Authorization Patched CVE-2025-69315 5.3 benzdeus January 20, 2026
Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters Patched CVE-2025-12166 7.5 shark3y January 14, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure Patched CVE-2025-11723 6.5 Lucas Montes (NiRoX) January 5, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure Patched CVE-2025-13754 5.3 Marcin Dudek (dudekmar) December 18, 2025
Simply Schedule Appointments <= 1.6.8.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes Patched CVE-2025-4667 6.4 Muhammad Yudha - DJ June 13, 2025
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.5 - Unauthenticated Arbitrary Shortcode Execution Patched CVE-2025-1119 7.3 Luciano Hanna March 12, 2025
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.3 - Reflected Cross-Site Scripting Patched CVE-2024-13431 6.1 Luciano Hanna March 6, 2025

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation