CVE-2026-7493: CWE-400 Uncontrolled Resource Consumption in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Simply Schedule Appointments Booking Plugin for WordPress contains a denial of service vulnerability in versions up to 1. 6. 11. 5. This issue arises from a publicly accessible REST API endpoint that invokes PHP's sleep() function with a user-controlled delay parameter and lacks rate limiting. An unauthenticated attacker can exploit this to exhaust PHP worker processes, causing denial of service to legitimate users. No official patch or remediation guidance is currently available. The vulnerability has a medium severity rating with a CVSS score of 5. 3.
AI Analysis
Technical Summary
CVE-2026-7493 is a denial of service vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress. The vulnerability exists because the REST API endpoint /wp-json/ssa/v1/async calls PHP's sleep() function using a delay parameter supplied by the user without any rate limiting controls. This allows unauthenticated attackers to cause uncontrolled resource consumption by tying up PHP worker processes, resulting in denial of service conditions for legitimate users. The vulnerability affects all versions up to and including 1.6.11.5. There is no vendor advisory or patch information available at this time.
Potential Impact
Exploitation of this vulnerability can lead to denial of service by exhausting PHP worker processes on the affected WordPress site. This prevents legitimate users from accessing the site or its booking functionality. There is no impact on confidentiality or integrity reported. The vulnerability is exploitable remotely without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider implementing external rate limiting or firewall rules to restrict access to the vulnerable REST API endpoint to mitigate potential abuse.
CVE-2026-7493: CWE-400 Uncontrolled Resource Consumption in croixhaug Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Description
The Simply Schedule Appointments Booking Plugin for WordPress contains a denial of service vulnerability in versions up to 1. 6. 11. 5. This issue arises from a publicly accessible REST API endpoint that invokes PHP's sleep() function with a user-controlled delay parameter and lacks rate limiting. An unauthenticated attacker can exploit this to exhaust PHP worker processes, causing denial of service to legitimate users. No official patch or remediation guidance is currently available. The vulnerability has a medium severity rating with a CVSS score of 5. 3.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7493 is a denial of service vulnerability in the Simply Schedule Appointments Booking Plugin for WordPress. The vulnerability exists because the REST API endpoint /wp-json/ssa/v1/async calls PHP's sleep() function using a delay parameter supplied by the user without any rate limiting controls. This allows unauthenticated attackers to cause uncontrolled resource consumption by tying up PHP worker processes, resulting in denial of service conditions for legitimate users. The vulnerability affects all versions up to and including 1.6.11.5. There is no vendor advisory or patch information available at this time.
Potential Impact
Exploitation of this vulnerability can lead to denial of service by exhausting PHP worker processes on the affected WordPress site. This prevents legitimate users from accessing the site or its booking functionality. There is no impact on confidentiality or integrity reported. The vulnerability is exploitable remotely without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider implementing external rate limiting or firewall rules to restrict access to the vulnerable REST API endpoint to mitigate potential abuse.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-30T12:14:44.725Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16547ae29bf47b5082afe8
Added to database: 5/27/2026, 2:18:34 AM
Last enriched: 5/27/2026, 2:33:47 AM
Last updated: 5/27/2026, 3:29:23 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.