Doctor Appointment Booking CVE-2025-27263
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Doctor Appointment Booking allows SQL Injection. This issue affects Doctor Appointment Booking: from n/a through 1.0.0.
AnalysisAI
SQL injection in Doctor Appointment Booking WordPress plugin versions up to 1.0.0 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause availability disruption. The vulnerability enables scope change, meaning attackers can access resources beyond their authorized privilege level to read high-sensitivity data. With EPSS probability at 0.12% (31st percentile) and no evidence of active exploitation or public exploit code, this represents a moderate real-world risk primarily for sites where low-privileged user accounts (subscriber/contributor roles) exist.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin designed for medical appointment scheduling. The flaw occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized query usage. WordPress plugins written in PHP commonly interact with MySQL/MariaDB databases, and this vulnerability likely exists in patient/doctor booking functions, search features, or calendar views where authenticated users can supply input parameters. The scope change (S:C) in the CVSS vector indicates the vulnerable component can affect resources beyond its security scope, suggesting the SQL injection may bypass WordPress's user privilege separation and access the entire database rather than just plugin-specific tables.
Affected ProductsAI
The vulnerability affects the Doctor Appointment Booking plugin for WordPress, specifically version 1.0.0 and all prior versions. This appears to be developed by NotFound (vendor identification from NVD data). The plugin is distributed through the WordPress plugin repository and is designed for medical practices, clinics, and healthcare providers to manage patient appointment scheduling. Detailed vulnerability information and vendor response status is available through Patchstack's vulnerability database at https://patchstack.com/database/wordpress/plugin/doctor-appointment-booking/vulnerability/wordpress-doctor-appointment-booking-plugin-1-0-0-sql-injection-vulnerability.
RemediationAI
WordPress site administrators should immediately check their plugin version and assess whether a patched release beyond version 1.0.0 is available from the WordPress plugin repository or the plugin developer. As of this analysis, Patchstack has disclosed the vulnerability but patch availability is not confirmed in the provided data sources. If no update exists, implement compensating controls: restrict new user registration to prevent creation of low-privilege accounts that could exploit this flaw, audit existing subscriber and contributor accounts for legitimacy, enable WordPress database activity monitoring to detect SQL injection attempts in plugin queries, and consider temporarily deactivating the plugin if appointment booking can be handled through alternative means. Review WordPress user roles to ensure the principle of least privilege - limit low-privilege account creation unless operationally necessary. Database-level protections such as read-only replicas for reporting queries and separate database users with limited permissions can reduce confidentiality impact. Monitor the Patchstack advisory and WordPress plugin repository for official patch release announcements.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today