CVE-2026-4668

Name of the Vulnerable Software and Affected Versions Booking for Appointments and Events Calendar - Amelia plugin for WordPress versions through 2.1.2.

Description The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is susceptible to SQL injection through the sort parameter in the payments listing endpoint. This is due to insufficient escaping of the user-supplied sort parameter and inadequate preparation of the SQL query in PaymentRepository.php, where the sort field is directly interpolated into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also bypass Amelia's nonce validation. This allows authenticated attackers with Manager-level (wpamelia-manager) access and above to append additional SQL queries to existing queries, potentially extracting sensitive information from the database via time-based blind SQL injection.

Recommendations Update to a version beyond 2.1.2.