Amelia Plugin for WordPress Exposed to Sensitive Data Theft via Payments

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Amelia Plugin for WordPress Exposed to Sensitive Data Theft via Payments

CVE-2026-4668

Summary

The Amelia plugin for WordPress, used to manage appointments and events, has a security flaw that could allow hackers to access sensitive information from the database. This issue affects all versions up to 2.1.2. To protect your data, update the plugin to the latest version or consider disabling the payments feature until a fix is available.

Original title

Original description

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of sufficient preparation on the existing SQL query in `PaymentRepository.php`, where the sort field is interpolated directly into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also skip Amelia's nonce validation entirely. This makes it possible for authenticated attackers, with Manager-level (`wpamelia-manager`) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection.

nvd CVSS3.1 6.5

Vulnerability type

CWE-89 SQL Injection

Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026