CVE-2026-4668
Received Received - Intake
SQL Injection in Amelia WordPress Plugin Allows Data Extraction

Publication date: 2026-04-01

Last updated on: 2026-04-01

Assigner: Wordfence

Description
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of sufficient preparation on the existing SQL query in `PaymentRepository.php`, where the sort field is interpolated directly into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also skip Amelia's nonce validation entirely. This makes it possible for authenticated attackers, with Manager-level (`wpamelia-manager`) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4668
EUVD
EUVD-2026-17727
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ameliabooking booking_for_appointments_and_events_calendar to 2.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress has a SQL Injection vulnerability in the payments listing endpoint. This vulnerability arises because the `sort` parameter, which is user-supplied, is directly inserted into the SQL ORDER BY clause without proper sanitization or whitelist validation. Since PDO prepared statements do not protect column names in ORDER BY clauses, this allows an attacker with Manager-level access or higher to manipulate the SQL query.

Additionally, GET requests bypass Amelia's nonce validation, which normally helps prevent unauthorized requests. Exploiting this, an attacker can append additional SQL queries to extract sensitive information from the database using time-based blind SQL injection techniques.

Impact Analysis

This vulnerability can allow an authenticated attacker with Manager-level access or higher to perform unauthorized SQL queries on the database. Specifically, they can extract sensitive information by injecting malicious SQL code through the `sort` parameter.

The impact includes potential exposure of confidential data stored in the database, which could lead to data breaches, loss of customer trust, and compromise of the integrity of the booking system.

The CVSS score of 6.5 indicates a medium severity, with high confidentiality impact but no impact on integrity or availability.

Detection Guidance

This vulnerability involves SQL Injection via the `sort` parameter in the payments listing endpoint of the Amelia Booking WordPress plugin. Detection would involve monitoring or testing the behavior of this endpoint when manipulated with malicious `sort` parameter values.

Since the vulnerability requires authenticated users with Manager-level (`wpamelia-manager`) access or higher, detection can include attempting to send crafted GET requests to the payments listing endpoint with malicious `sort` parameters to observe abnormal responses or delays indicative of time-based blind SQL injection.

Suggested commands for detection could include using curl or similar tools to send requests with suspicious `sort` values, for example:

  • curl -i -b 'wordpress_logged_in=your_auth_cookie' 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=amelia_payments&sort=id ASC'
  • curl -i -b 'wordpress_logged_in=your_auth_cookie' 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=amelia_payments&sort=id ASC; WAITFOR DELAY '0:0:5''

The second command attempts to inject a time delay to detect SQL injection via time-based blind techniques. Monitoring response times can help identify the vulnerability.

Note: Proper authentication cookies or session tokens with Manager-level access are required to perform these tests.

Mitigation Strategies

Immediate mitigation steps include:

  • Update the Amelia Booking plugin to a version later than 2.1.2 where this vulnerability is fixed.
  • Restrict or review user roles and permissions to ensure only trusted users have Manager-level (`wpamelia-manager`) access or higher.
  • Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection attempts targeting the `sort` parameter in the payments listing endpoint.
  • Monitor logs for unusual activity or repeated failed attempts to exploit the `sort` parameter.

Since the vulnerability arises from insufficient sanitization of the `sort` parameter and bypass of nonce validation in GET requests, applying the official patch or plugin update is the most effective mitigation.

Compliance Impact

The vulnerability allows authenticated users with Manager-level access to perform SQL Injection attacks that can extract sensitive information from the database. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.

Since the vulnerability enables extraction of sensitive information via SQL Injection, it increases the risk of data breaches, which are subject to strict reporting and remediation requirements under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart