CVE-2026-14782
Received Received - Intake

SQL Injection in Amelia WordPress Plugin

Vulnerability report for CVE-2026-14782, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with wpamelia-manager role, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpamelia amelia to 2.4.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection flaw in the Amelia WordPress plugin. It allows authenticated attackers with the wpamelia-manager role to inject malicious SQL queries through the Customer Import feature. The issue arises from insufficient input sanitization and lack of proper SQL query preparation.

Detection Guidance

Detection requires checking for unauthorized SQL queries or suspicious database access patterns. Review WordPress logs for unusual activity from users with the wpamelia-manager role. Inspect plugin files for modified or injected code in the Amelia plugin directory.

Impact Analysis

An attacker could exploit this to extract sensitive data from the database, such as user credentials, personal information, or other confidential records. This could lead to data breaches, unauthorized access, or further compromise of the WordPress site.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR or HIPAA if sensitive personal or health data is exposed. Organizations may face legal penalties, fines, or reputational damage due to data breaches resulting from this flaw.

Mitigation Strategies

Update the Amelia plugin to the latest version immediately. Remove or restrict access for users with the wpamelia-manager role until the update is applied. Monitor database queries for unexpected activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart