CVE-2026-3658 is a SQL Injection vulnerability classified under CWE-89, discovered in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, developed by croixhaug. This vulnerability affects all plugin versions up to and including 1.6.10.0. The root cause is insufficient escaping and lack of proper preparation of the 'fields' parameter in SQL queries, which allows attackers to append arbitrary SQL commands. Because the plugin fails to sanitize user input properly, an unauthenticated attacker can inject SQL code directly into the database query. This injection can be leveraged to extract sensitive information such as usernames, email addresses, and password hashes from the backend database. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the potential confidentiality impact and ease of exploitation. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects WordPress sites using this plugin, which is commonly used for appointment scheduling, making it a critical concern for organizations relying on this functionality.

The primary impact of CVE-2026-3658 is the unauthorized disclosure of sensitive user data stored in the WordPress database, including usernames, email addresses, and password hashes. This can lead to further attacks such as credential stuffing, phishing, or account takeover if password hashes are cracked. The vulnerability does not directly affect data integrity or availability but compromises confidentiality severely. Organizations using the vulnerable plugin risk data breaches that can damage reputation, violate privacy regulations such as GDPR, and result in financial penalties. Since the exploit requires no authentication and no user interaction, attackers can automate attacks at scale, potentially affecting many sites globally. The impact is especially critical for businesses relying on appointment scheduling and customer data management, including healthcare providers, legal services, and other client-facing industries. The lack of known exploits in the wild does not diminish the urgency, as public disclosure may prompt attackers to develop exploits rapidly.

1. Immediate upgrade: Monitor the plugin vendor's official channels for patches or updated versions that address this vulnerability and apply them promptly once available. 2. Input validation: Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'fields' parameter. 3. Principle of least privilege: Restrict database user permissions for the WordPress site to only necessary operations, limiting the impact of potential exploitation. 4. Disable or replace plugin: If no patch is available, consider disabling the vulnerable plugin and replacing it with a secure alternative for appointment scheduling. 5. Database monitoring: Enable logging and monitoring of database queries to detect anomalous or unauthorized access attempts. 6. Backup and incident response: Ensure recent backups are available and prepare an incident response plan in case of compromise. 7. Security hardening: Regularly update WordPress core and other plugins to reduce overall attack surface and maintain security hygiene. 8. User awareness: Inform site administrators about the vulnerability and encourage vigilance for suspicious activity.