We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Booking for Appointments and Events Calendar – Amelia Plugin Vulnerability (CVE-2026-4668)

Nick Paliughi
On this page

Security Alert Summary

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress contains a SQL injection vulnerability in the payments listing endpoint. The issue involves the sort parameter being interpolated directly into an ORDER BY clause in PaymentRepository.php without sanitization or whitelist validation, and GET requests bypassing the plugin nonce validation. Authenticated users with Manager-level (wpamelia-manager) access or higher can exploit this to perform time-based blind SQL injection and extract sensitive data.

CVE Details

  • CVE ID: CVE-2026-4668
  • Affected plugin / component: Booking for Appointments and Events Calendar – Amelia plugin for WordPress
  • Affected versions: All versions up to, and including, 2.1.2
  • Published: April 1, 2026, 12:16 AM UTC
  • Last modified: April 1, 2026, 2:23 PM UTC
  • CVSS v3.1: Base Score 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with Manager-level (wpamelia-manager) access or higher. CVSS indicates Privileges Required: LOW and User Interaction: NONE.
  • Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE.
  • Weakness (CWE): CWE-89 (SQL Injection)

Technical Details

The vulnerability is a SQL injection in the payments listing endpoint that accepts a sort parameter. The plugin code interpolates the user-supplied sort field directly into an ORDER BY clause inside PaymentRepository.php without escaping, sanitizing, or validating against a whitelist of allowed column names. Because PDO prepared statements do not protect SQL identifiers such as column names, the existing use of prepared statements does not mitigate this issue for the ORDER BY clause.

Additionally, GET requests to the payments listing endpoint bypass Amelia’s nonce validation, removing a server-side check that might otherwise have limited some request classes. Together, these issues allow an authenticated user with Manager-level access or greater to append additional SQL payloads into an existing query and perform time-based blind SQL injection to infer sensitive database information.

How This Could Impact Your Website

On a multi-user WordPress site, a typical scenario could involve a site owner who grants an internal staff member or an external contractor Manager-level access to handle bookings and payments. If that user account is malicious or compromised, an attacker could exploit the vulnerable payments endpoint to execute time-based blind SQL injection queries. Practical consequences include exposure of sensitive database contents such as user contact information or payment metadata, which can increase the risk of targeted phishing or social engineering against staff or customers.

The issue does not directly indicate arbitrary code execution or full site takeover, but the confidentiality impact is rated high because sensitive data may be extracted. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and permissions, especially Manager-level accounts and contributors.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and database logs for unusual queries or slow responses that may indicate time-based injection attempts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Query Monitor Plugin Vulnerability (CVE-2026-4267)
Next Post
WordPress Security Bulletin: WP Shortcodes Plugin – Shortcodes Ultimate (CVE-2026-2480)