Attack Vectors

CVE-2026-3658 is a High-severity vulnerability (CVSS 7.5) affecting the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (slug: simply-schedule-appointments) in versions up to and including 1.6.10.0. It can be exploited without authentication, meaning an attacker does not need a login account to attempt an attack.

The attack is performed remotely over the internet (CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) by sending specially crafted requests that manipulate the plugin’s “fields” parameter. Because no user interaction is required (UI:N), this can be automated and scaled, which increases the likelihood of opportunistic scanning and exploitation.

Official CVE record: https://www.cve.org/CVERecord?id=CVE-2026-3658

Security Weakness

This issue is an unauthenticated SQL Injection vulnerability. According to the published advisory, the plugin does not sufficiently escape the user-supplied fields parameter and does not adequately prepare the related database query. As a result, attackers can append SQL to existing queries.

In practical terms, this weakness can allow attackers to query and extract sensitive data from the WordPress database, including usernames, email addresses, and password hashes. The advisory source is Wordfence’s vulnerability intelligence entry: Wordfence reference.

Remediation: Update to version 1.6.10.2 or a newer patched release.

Technical or Business Impacts

Because the vulnerability can enable extraction of database information, the most immediate business risk is confidentiality loss—especially exposure of customer and staff contact details, and WordPress account credential material (password hashes). Even if password hashes are not immediately usable, they can be targeted with offline cracking attempts, increasing the risk of account takeover and follow-on compromise.

For leadership, finance, and compliance stakeholders, likely impacts include incident response costs, forced password resets, potential downtime while you investigate, and reputational damage if customer data is confirmed exposed. Depending on your jurisdiction and the type of personal data stored, a successful exploit may also trigger regulatory and contractual notification obligations (privacy laws, client contracts, and industry requirements).

From a marketing perspective, loss of trust and the operational burden of customer communications can disrupt campaigns, reduce conversion rates, and increase churn—especially if attackers use stolen emails for targeted phishing against your audience.

Similar Attacks

SQL injection has been a common entry point in multiple high-profile breaches. Examples include:

TalkTalk data breach (2015) — widely reported as involving SQL injection and exposure of customer data.
Heartland Payment Systems breach (2008) — one of the most cited historic cases where attackers used SQL injection techniques as part of a large-scale payment data compromise.