Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1.
AnalysisAI
Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Technical ContextAI
CWE-89 SQL injection stemming from insufficient neutralization of special SQL characters in user-controlled input. CVSS vector PR:H indicates exploitation requires high-privilege WordPress administrative credentials. Scope change (S:C) suggests injection may access resources beyond plugin's normal authorization boundary, potentially compromising database integrity across WordPress installation.
RemediationAI
Vendor-released patch status not confirmed in available advisories. Users should immediately check for Amelia plugin updates beyond version 2.1.1 through WordPress admin dashboard or vendor channels. If no patched version is available, deactivate the Amelia plugin until a fix is released to eliminate SQL injection risk. Restrict WordPress administrator access to trusted personnel only as exploitation requires high-privilege credentials. Monitor database query logs for anomalous SELECT statements or time-based delays indicative of blind SQLi attempts. Consult Patchstack advisory for technical details: https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-2-1-1-sql-injection-vulnerability. Review NVD record: https://nvd.nist.gov/vuln/detail/CVE-2026-39487.
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in a
Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerabi
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any cu
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any cu
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unkn
Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-p
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow a
Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the l
The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unaut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20156
GHSA-x5j5-m454-hv4r