A high-severity vulnerability has been identified in the "Booking for Appointments and Events Calendar – Amelia" plugin for WordPress. This flaw, a SQL Injection, allows an attacker to manipulate the website's database by sending malicious code through a search function. Successful exploitation could lead to the theft of sensitive data, unauthorized modification of website content, or a complete compromise of the database.

The plugin is vulnerable to SQL Injection because it fails to properly sanitize user-supplied input within the ‘search’ parameter before using it in a database query. An unauthenticated attacker can craft a malicious request containing SQL commands and submit it via the search functionality. This allows the attacker's commands to be executed directly on the database, enabling them to read, modify, or delete data, and potentially escalate privileges.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could have significant business consequences, including the unauthorized disclosure of sensitive customer information (names, contact details, appointment data) and confidential business data stored in the database. This could lead to severe reputational damage, loss of customer trust, financial losses, and potential regulatory fines for non-compliance with data protection regulations like GDPR or CCPA.

Immediate Action: Immediately update the "Booking for Appointments and Events Calendar – Amelia" plugin to the latest version available from the vendor, which addresses this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious requests targeting the plugin, specifically looking for SQL keywords (e.g., SELECT, UNION, --, /*) within the ‘search’ parameter. Implement database activity monitoring to detect and alert on unusual query patterns or unauthorized access attempts. Utilize a Web Application Firewall (WAF) to identify and block SQL injection attack signatures in real-time.

Compensating Controls: If patching cannot be performed immediately, deploy a WAF with a strict ruleset designed to block SQL injection attempts. Restrict database user permissions to follow the principle of least privilege, ensuring the web application's database account has the minimum necessary rights.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for significant data compromise, immediate action is required. Organizations using the affected Amelia WordPress plugin must prioritize applying the vendor-supplied update without delay. Although this vulnerability is not currently on the CISA KEV list, its critical nature makes it a prime target for opportunistic attacks, and it should be treated as a critical threat to the security of the web application.