A high-severity blind SQL Injection vulnerability has been identified in the "Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin" for WordPress. This flaw allows an unauthenticated attacker to manipulate the website's database by sending specially crafted requests. Successful exploitation could lead to the theft of sensitive information, such as user data and appointment details, posing a significant risk of a data breach and reputational damage.

The vulnerability is a blind SQL Injection that exists due to improper sanitization of user-supplied input within the order and append_where_sql parameters. An unauthenticated attacker can inject malicious SQL queries into these parameters. Because the vulnerability is "blind," the attacker does not receive direct output from the database in the HTTP response. Instead, they can infer the database structure and its contents by observing the application's behavior, such as time delays or boolean (true/false) responses, to exfiltrate sensitive data one piece at a time.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful attack could have a significant negative impact on the business, leading to a complete compromise of the website's database. Potential consequences include the unauthorized disclosure of sensitive customer information, appointment data, and user credentials. Such a data breach could result in financial loss, damage to the organization's reputation, loss of customer trust, and potential legal or regulatory penalties.

Immediate Action: Immediately update the "Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin" to the latest patched version provided by the vendor. If the plugin is not critical to business operations, consider deactivating and removing it until it can be safely updated. After updating, review all WordPress security settings to ensure they align with best practices.

Proactive Monitoring: Monitor web server access logs and Web Application Firewall (WAF) logs for suspicious requests targeting the vulnerable plugin's endpoints. Specifically, look for patterns indicative of SQL injection attacks, such as the presence of SQL keywords (SELECT, UNION, SLEEP, BENCHMARK) or special characters in the order and append_where_sql parameters. Monitor for unusual database activity or performance degradation, which could be a symptom of time-based blind SQL injection attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset to detect and block SQL injection attempts. Configure the WAF to specifically inspect and filter the order and append_where_sql parameters for malicious payloads. Additionally, restrict access to the WordPress administrative dashboard to trusted IP addresses only to limit the overall attack surface.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for a complete database compromise, it is strongly recommended that organizations take immediate action. The primary recommendation is to apply the security update for the affected plugin without delay. Although this CVE is not currently listed on the CISA KEV list, the ease of exploitation for SQL injection flaws warrants urgent attention. Prioritize patching all internet-facing websites using this plugin to prevent a potential data breach.