Amelia WordPress Plugin SQL Injection Vulnerability in Payment Sorting
Vulnerability
A SQL injection vulnerability has been identified in the Booking for Appointments and Events Calendar - Amelia plugin for WordPress, affecting all versions through 2.1.2. The vulnerability arises in the payments listing endpoint, where the 'sort' parameter is inadequately sanitized before being incorporated into the SQL query's ORDER BY clause. This flaw allows authenticated attackers with Manager-level access to manipulate the SQL query, potentially leading to the extraction of sensitive database information through time-based blind SQL injection.
Impact
Exploitation of this vulnerability allows for authenticated attackers to perform SQL injection, appending malicious SQL queries that could be used to extract sensitive information from the database.
Reproduction
To reproduce this vulnerability, an authenticated user with Manager-level access can send a GET request to the payments listing endpoint with a crafted 'sort' parameter. The absence of proper nonce validation in GET requests allows this exploitation to bypass security measures that would typically prevent such actions.
Remediation
Users are advised to update the Amelia WordPress plugin to version 2.1.3 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.