Booking For Appointments And Events Calendar Amelia
Monthly
SQL Injection in the Amelia booking plugin for WordPress (versions through 2.4.3) allows authenticated attackers holding the wpamelia-manager role to exfiltrate arbitrary data from the site's database via the Customer Import feature. The flaw stems from unsanitized user-supplied parameters passed into pre-existing SQL queries without adequate escaping or prepared statement usage, enabling stacked or appended query manipulation. No public exploit code or active exploitation has been identified at the time of analysis, and the confidentiality-only impact (C:H/I:N/A:N) reflects read-level database access rather than modification or destruction capability.
SQL Injection in the Amelia booking plugin for WordPress (versions through 2.4.3) allows authenticated attackers holding the wpamelia-manager role to exfiltrate arbitrary data from the site's database via the Customer Import feature. The flaw stems from unsanitized user-supplied parameters passed into pre-existing SQL queries without adequate escaping or prepared statement usage, enabling stacked or appended query manipulation. No public exploit code or active exploitation has been identified at the time of analysis, and the confidentiality-only impact (C:H/I:N/A:N) reflects read-level database access rather than modification or destruction capability.