Michael Perla

Name of the Vulnerable Software and Affected Versions Booking for Appointments and Events Calendar - Amelia plugin for WordPress versions through 2.1.2. Description The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is susceptible to SQL injection through the `sort` parameter in the payments listing endpoint. This is due to insufficient escaping of the user-supplied `sort` parameter and inadequate preparation of the SQL query in `PaymentRepository.php`, where the sort field is directly interpolated into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also bypass Amelia's nonce validation. This allows authenticated attackers with Manager-level (`wpamelia-manager`) access and above to append additional SQL queries to existing queries, potentially extracting sensitive information from the database via time-based blind SQL injection. Recommendations Update to a version beyond 2.1.2.