The Simply Schedule Appointments plugin is affected by a critical SQL injection vulnerability that enables unauthenticated attackers to manipulate database queries and exfiltrate sensitive data.

The plugin contains an input validation flaw that allows unauthenticated attackers to append malicious SQL queries, resulting in unauthorized database interaction and data leakage.

The CVSS score of 9.3 highlights the severity of this flaw, which provides a direct path for attackers to compromise sensitive business information stored in the database. Successful exploitation could lead to data theft, loss of customer trust, and potential compliance violations regarding data privacy.

Immediate Action: Update the Simply Schedule Appointments plugin to version 1.6.9.28 or later.

Proactive Monitoring: Monitor database logs for unusual query patterns or unexpected database errors that may indicate an ongoing exploitation attempt.

Compensating Controls: Implement a Web Application Firewall (WAF) to inspect incoming traffic and block common SQL injection attack signatures.

Public Exploit Available: False

Organizations relying on this plugin must apply the vendor-provided security update immediately. Given the high severity, remediation should be treated as a priority to prevent data exposure.