{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12482", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-29T17:32:20.139Z", "datePublished": "2025-11-16T04:17:30.278Z", "dateUpdated": "2026-04-08T17:23:22.020Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:22.020Z"}, "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.35", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to SQL Injection via the \u2018search\u2019 parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "Booking for Appointments and Events Calendar \u2013 Amelia <= 1.2.35 - Unauthenticated SQL Injection via search", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "JEONG YU CHAN"}], "timeline": [{"time": "2025-11-03T16:58:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-15T15:54:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-17T18:48:02.900645Z", "id": "CVE-2025-12482", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-17T18:48:12.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-17T18:48:02.900645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-17T18:48:08.476Z"}}], "cna": {"title": "Booking for Appointments and Events Calendar \u2013 Amelia <= 1.2.35 - Unauthenticated SQL Injection via search", "credits": [{"lang": "en", "type": "finder", "value": "JEONG YU CHAN"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.35"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T16:58:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-15T15:54:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to SQL Injection via the \u2018search\u2019 parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-16T04:17:30.278Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12482", "state": "PUBLISHED", "dateUpdated": "2025-11-17T18:48:12.735Z", "dateReserved": "2025-10-29T17:32:20.139Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-16T04:17:30.278Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to SQL Injection via the \u2018search\u2019 parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2025-12482", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-16T05:15:59.280", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:32:40.935583+00:00", "value": {"mitigation_remediation": ["Update the Amelia plugin to version 1.2.36 or later to remove the vulnerable code", "If a prompt upgrade cannot be performed, disable or restrict the plugin\u2019s search functionality\u2014blocking the search endpoint or preventing unauthenticated access", "Deploy a temporary filter or Web Application Firewall rule that blocks SQL meta-characters (e.g., ';', '--', '/*') in the search parameter to reduce exploitation risk"], "summary": {"action": "Apply Patch", "impact": "Unauthenticated SQL Injection exposing sensitive database data"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Amelia Booking for Appointments and Events Calendar plugin up to and including version 1.2.35 are vulnerable. Sites using the updated 1.2.36 release are not affected as the fix was applied to the EventRepository logic.", "description_and_impact": "The Amelia WordPress plugin version 1.2.35 and earlier contain a SQL Injection flaw in the search parameter because the input is not properly escaped or bound in the existing query. An unauthenticated attacker can inject arbitrary SQL code, allowing extraction of confidential information from the database. This vulnerability is identified as CWE\u201189, reflecting that the underlying misuse of an SQL parser can be exploited without authentication.", "risk_and_exploitability": "The CVSS score of 7.5 represents a high\u2011severity risk; however the EPSS probability of exploitation is less than 1%, indicating a low likelihood of widespread attacks at present. The vulnerability is not listed in the CISA KEV catalog, which suggests it has not yet been observed in known exploits. Attackers would need to craft a web request targeting the search endpoint, exploit the injection point, and read data, requiring no privileges on the host server."}}}}, "created": "2025-11-17T10:09:32.439001+00:00", "updated": "2026-04-22T00:45:04.149161+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}