CVE-2024-7129 – The Appointment Booking Calendar WordPress plug... (How to Fix)

Q: What is the severity of CVE-2024-7129?

CVE-2024-7129 has a CVSS score of 7.2 (HIGH). The Appointment Booking Calendar WordPress plugin before version 1.6.7.43 contains a Twig template injection vulnerability that allows authenticated users with administrative privileges to execute arbitrary code on the server. This affects WordPress sites using vulnerable versions of this plugin. Attackers can achieve remote code execution if they gain admin access.

📋 TL;DR

The Appointment Booking Calendar WordPress plugin before version 1.6.7.43 contains a Twig template injection vulnerability that allows authenticated users with administrative privileges to execute arbitrary code on the server. This affects WordPress sites using vulnerable versions of this plugin. Attackers can achieve remote code execution if they gain admin access.

💻 Affected Systems

Products:

Appointment Booking Calendar WordPress Plugin

Versions: All versions before 1.6.7.43

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version. Admin access needed for exploitation.

📦 What is this software?

Simply Schedule Appointments by Nsqua

View all CVEs affecting Simply Schedule Appointments →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Privileged attackers (compromised admin accounts) executing arbitrary code to maintain persistence or escalate access.

🟢

If Mitigated

Limited to authenticated admin users only, reducing attack surface if proper access controls are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. Template injection leads to RCE through Twig engine.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.7.43

Vendor Advisory: https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Appointment Booking Calendar'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.6.7.43+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Appointment Booking Calendar plugin until patched

wp plugin deactivate appointment-booking-calendar

Restrict admin access

all

Implement strict access controls and MFA for WordPress admin accounts

🧯 If You Can't Patch

Remove plugin entirely and use alternative booking solutions
Implement web application firewall rules to block template injection patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get appointment-booking-calendar --field=version

Verify Fix Applied:

Confirm plugin version is 1.6.7.43 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin admin endpoints
Twig template syntax in user input fields
Suspicious file creation/modification

Network Indicators:

HTTP requests containing Twig template syntax to /wp-admin/ or plugin endpoints

SIEM Query:

source="wordpress" AND (uri_path="*appointment*" OR uri_path="*booking*") AND (http_method="POST" AND content="*{{*" OR content="*}}*"))

📊 Metadata

CVE ID: CVE-2024-7129

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published: September 13, 2024

Last Updated: September 15, 2025

🔗 References

https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON