CVE-2026-1708 is a blind SQL Injection vulnerability in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress (up to version 1.6.9.27). The issue arises because the db_where_conditions method in the TD_DB_Model class fails to sanitize the append_where_sql parameter when it is passed in JSON request bodies, only checking for it in the $_REQUEST superglobal. This allows unauthenticated attackers who have obtained a valid public_token, which may be exposed during the booking flow, to append arbitrary SQL commands to database queries and extract sensitive information. The vulnerability has a CVSS 3.1 base score of 7.5 (high severity) with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Successful exploitation of this vulnerability can result in unauthorized disclosure of sensitive information from the plugin's database. The attacker can perform blind SQL Injection to extract data without authentication beyond possessing a valid public_token. There is no indication of impact on data integrity or availability. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, restricting access to the public_token and minimizing exposure of the booking flow may reduce risk. No cloud service remediation applies as this is a WordPress plugin. No vendor advisory states that no action is required or that the issue is mitigated.