CVE-2025-59129
Lifecycle Timeline
2Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appointify Appointify appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through <= 1.0.8.
Analysis
Blind SQL Injection in Appointify WordPress plugin version 1.0.8 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The vulnerability enables data extraction and manipulation through time-based or error-based inference techniques without requiring valid credentials or authentication. EPSS score of 0.04% indicates low statistical likelihood of exploitation despite the technical severity of SQL injection.
Technical Context
The vulnerability stems from improper input validation and parameterization in database query construction within the Appointify WordPress plugin, classified under CWE-89 (SQL Injection). Appointify is a WordPress plugin used for appointment scheduling and booking functionality. The blind SQL injection variant means attackers cannot directly observe query results but can infer data through response timing differences (time-based) or database error messages, requiring more complex exploitation but remaining viable. The plugin processes user input without adequate prepared statements or parameterized queries, allowing malicious SQL syntax to be interpreted as commands rather than data literals.
Affected Products
Appointify WordPress plugin version 1.0.8 and all earlier versions are affected. The plugin is identified by CPE context as WordPress plugin appointify (https://patchstack.com/database/Wordpress/Plugin/appointify/). The vulnerability has been reported by Patchstack security researchers and does not appear to affect other independently named products; it is specific to the Appointify plugin ecosystem.
Remediation
Update the Appointify WordPress plugin to a version newer than 1.0.8 immediately upon availability of a patched release. Users should verify patch availability on the WordPress plugin repository or via the plugin vendor's official channels. Until a patched version is available, administrators should disable the Appointify plugin or restrict access to its forms and appointment submission endpoints using Web Application Firewall rules or request filtering. Review database access logs for signs of exploitation, particularly queries containing SQL keywords or time-delay functions. Detailed remediation guidance is available at https://patchstack.com/database/Wordpress/Plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-sql-injection-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today