Home

Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-27 | Updated 2026-05-27 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-25:Discovered
2026-04-30:Vendor Notified
2026-05-26:Disclosed

Credits

lucky_buddy finder

References

www.wordfence.com/...-d086-44fd-8acb-5a99482cedfb?source=cve

plugins.trac.wordpress.org/...s/class-async-action-model.php

cve.org (CVE-2026-7493)

nvd.nist.gov (CVE-2026-7493)

Download JSON