Platform
wordpress
Component
ameliabooking
Fixed in
2.1.3
CVE-2026-4668 is a SQL Injection vulnerability affecting the Booking for Appointments and Events Calendar - Amelia WordPress plugin. This flaw allows attackers to inject malicious SQL code via the sort parameter, potentially leading to unauthorized data access or modification. The vulnerability affects all versions up to and including 2.1.2. It is fixed in version 2.1.3.
CVE-2026-4668, a SQL Injection vulnerability in the Amelia plugin for WordPress, poses a significant risk to websites utilizing this plugin for appointment and event scheduling. The flaw lies in the insufficient sanitization and validation of the 'sort' parameter within the payments listing endpoint. A malicious actor could manipulate this parameter to inject arbitrary SQL code, potentially granting them unauthorized access, modification, or deletion of sensitive database data, including payment information, user details, and appointment schedules. The impact severity is high, as successful exploitation could compromise the integrity and confidentiality of stored data. The lack of proper escaping or a whitelist allows for direct parameter injection into the SQL query, simplifying exploitation.
An attacker could exploit this vulnerability by sending a malicious HTTP request to the payments listing endpoint, manipulating the 'sort' parameter to include SQL code. For example, they could inject a query to extract user information or modify payment data. Exploitation is relatively straightforward due to the lack of validation. The attacker needs access to the endpoint URL, which is generally accessible from outside the website. No authentication is required, increasing the attack surface.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately update the Amelia plugin to version 2.1.3 or higher, which incorporates the necessary fixes to prevent SQL injection. Furthermore, a comprehensive security audit of the website is advised to identify and remediate any additional potential vulnerabilities. Implementing secure coding practices, such as utilizing parameterized prepared statements instead of direct variable interpolation in SQL queries, is crucial. Regularly monitoring server logs for suspicious activity can aid in detecting and responding to potential attacks. Keeping WordPress and all other plugins updated is a proactive security measure.
Update to version 2.1.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's an attack technique that allows an attacker to inject malicious SQL code into a database query, potentially granting them unauthorized access, modification, or deletion of data.
If you are using a version of the Amelia plugin older than 2.1.3, you are likely affected. Check the plugin version within your WordPress admin dashboard.
Immediately change all user passwords, review server logs for suspicious activity, and consult a security professional for a comprehensive audit.
Yes, several vulnerability scanning tools can help identify potential SQL injection vulnerabilities. Examples include OWASP ZAP and sqlmap.
Use parameterized prepared statements, validate and sanitize all user inputs, implement a strong password policy, and keep your software updated.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.