CVE-2023-50851: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2023-50851) was discovered in the N Squared Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress. The vulnerability affects versions before 1.6.6.1 and was disclosed on December 21, 2023. This security issue was initially reported by Muhammad Daffa on October 18, 2023 (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v3.1 base score of 7.2 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a CVSS score of 7.6 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The SQL Injection vulnerability could allow a malicious actor with administrator privileges to directly interact with the database, potentially leading to unauthorized access to sensitive information and database manipulation (Patchstack).

Users are advised to update to version 1.6.6.1 or later of the Simply Schedule Appointments plugin to remediate this vulnerability. The fix was released as part of version 1.6.6.1 (Patchstack).