The vulnerability identified as CVE-2026-1708 affects the 'Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin' for WordPress, specifically all versions up to and including 1.6.9.27. The root cause is an improper neutralization of special elements used in SQL commands (CWE-89), manifesting as a blind SQL Injection vulnerability. The issue lies in the db_where_conditions method of the TD_DB_Model class, which fails to properly sanitize the append_where_sql parameter when it is passed through JSON request bodies. The method only checks for this parameter's presence in the $_REQUEST superglobal, neglecting JSON payloads. Consequently, an attacker who obtains a valid public_token—exposed inadvertently during the booking flow—can craft JSON requests that append arbitrary SQL commands to backend queries. This allows the attacker to extract sensitive information from the database without authentication or user interaction. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact. No known exploits have been reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a critical concern for affected WordPress sites.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the backend database of affected WordPress sites using the vulnerable plugin. Attackers can exploit the blind SQL Injection to extract confidential information such as user details, booking data, or other sensitive records. This can lead to privacy violations, regulatory non-compliance, reputational damage, and potential further exploitation if sensitive credentials or tokens are exposed. Since the attack requires only a valid public_token—which may be inadvertently exposed during normal booking operations—many sites could be at risk without realizing it. The vulnerability does not directly affect data integrity or availability but compromises confidentiality significantly. Organizations relying on this plugin for appointment scheduling, especially those handling personal or financial data, face elevated risk of data breaches and subsequent legal and operational consequences.

To mitigate this vulnerability, organizations should immediately update the 'Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin' to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling the plugin or restricting access to the booking endpoints to trusted IP addresses or authenticated users only. Implementing Web Application Firewall (WAF) rules to detect and block suspicious JSON payloads containing the append_where_sql parameter can reduce exploitation risk. Additionally, reviewing and rotating any exposed public_tokens and monitoring logs for unusual query patterns or access attempts is recommended. Developers should audit the plugin's code to ensure all input parameters, especially those accepted via JSON, are properly sanitized and validated. Employing least privilege principles for database access and segregating sensitive data can also limit potential damage.