CVE-2026-4668
SQL Injection in Amelia WordPress Plugin Allows Data Extraction
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ameliabooking | booking_for_appointments_and_events_calendar | to 2.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress has a SQL Injection vulnerability in the payments listing endpoint. This vulnerability arises because the `sort` parameter, which is user-supplied, is directly inserted into the SQL ORDER BY clause without proper sanitization or whitelist validation. Since PDO prepared statements do not protect column names in ORDER BY clauses, this allows an attacker with Manager-level access or higher to manipulate the SQL query.
Additionally, GET requests bypass Amelia's nonce validation, which normally helps prevent unauthorized requests. Exploiting this, an attacker can append additional SQL queries to extract sensitive information from the database using time-based blind SQL injection techniques.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with Manager-level access or higher to perform unauthorized SQL queries on the database. Specifically, they can extract sensitive information by injecting malicious SQL code through the `sort` parameter.
The impact includes potential exposure of confidential data stored in the database, which could lead to data breaches, loss of customer trust, and compromise of the integrity of the booking system.
The CVSS score of 6.5 indicates a medium severity, with high confidentiality impact but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL Injection via the `sort` parameter in the payments listing endpoint of the Amelia Booking WordPress plugin. Detection would involve monitoring or testing the behavior of this endpoint when manipulated with malicious `sort` parameter values.
Since the vulnerability requires authenticated users with Manager-level (`wpamelia-manager`) access or higher, detection can include attempting to send crafted GET requests to the payments listing endpoint with malicious `sort` parameters to observe abnormal responses or delays indicative of time-based blind SQL injection.
Suggested commands for detection could include using curl or similar tools to send requests with suspicious `sort` values, for example:
- curl -i -b 'wordpress_logged_in=your_auth_cookie' 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=amelia_payments&sort=id ASC'
- curl -i -b 'wordpress_logged_in=your_auth_cookie' 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=amelia_payments&sort=id ASC; WAITFOR DELAY '0:0:5''
The second command attempts to inject a time delay to detect SQL injection via time-based blind techniques. Monitoring response times can help identify the vulnerability.
Note: Proper authentication cookies or session tokens with Manager-level access are required to perform these tests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the Amelia Booking plugin to a version later than 2.1.2 where this vulnerability is fixed.
- Restrict or review user roles and permissions to ensure only trusted users have Manager-level (`wpamelia-manager`) access or higher.
- Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection attempts targeting the `sort` parameter in the payments listing endpoint.
- Monitor logs for unusual activity or repeated failed attempts to exploit the `sort` parameter.
Since the vulnerability arises from insufficient sanitization of the `sort` parameter and bypass of nonce validation in GET requests, applying the official patch or plugin update is the most effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Manager-level access to perform SQL Injection attacks that can extract sensitive information from the database. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.
Since the vulnerability enables extraction of sensitive information via SQL Injection, it increases the risk of data breaches, which are subject to strict reporting and remediation requirements under these regulations.