PT-2025-48009 · WordPress · Bookme – Free Online Appointment Booking/Scheduling Plugin For Wordpress

Sopon Tangpathum

Published

2025-11-25

Updated

2025-11-25

CVE-2025-13385

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress versions prior to 4.3

Description The Bookme plugin for WordPress is susceptible to time-based SQL Injection. This is due to inadequate input sanitization of the filter[status] parameter, allowing authenticated attackers with admin-level access or higher to inject additional SQL queries into existing database queries. This can lead to the extraction of sensitive information from the database.

Recommendations Update Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress to version 4.3 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-13385

Affected Products

Bookme – Free Online Appointment Booking/Scheduling Plugin For Wordpress

CVE-2025-13385

Weakness Enumeration

Related Identifiers

Affected Products

References · 7