CVE-2025-12166 is a blind SQL Injection vulnerability identified in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, maintained by croixhaug. The vulnerability exists in all plugin versions up to and including 1.6.9.9 due to insufficient escaping and lack of proper preparation of SQL queries involving the 'order' and 'append_where_sql' parameters. These parameters accept user input that is directly concatenated into SQL statements without adequate sanitization or use of parameterized queries, violating CWE-89 standards. This flaw allows unauthenticated attackers to append malicious SQL code to existing queries, enabling them to extract sensitive information from the backend database through blind SQL Injection techniques. The vulnerability does not require any user interaction or authentication, increasing its exploitability. The CVSS v3.1 base score is 7.5, reflecting high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no public exploits have been reported yet, the widespread use of WordPress and this plugin in appointment booking contexts makes this a critical concern for organizations relying on these systems. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored in the backend database of affected WordPress sites. Attackers can exploit the blind SQL Injection to extract confidential information such as user credentials, personal data, booking details, or other sensitive business information. This can lead to privacy violations, regulatory non-compliance, reputational damage, and potential financial losses. Since the vulnerability does not affect data integrity or availability directly, the risk is mainly confidentiality breach. However, extracted data can be used for further attacks, including account takeover or lateral movement within the network. Organizations worldwide using this plugin for appointment scheduling, especially those handling sensitive client data or operating in regulated industries, face significant risks. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts, potentially leading to widespread compromise if unmitigated.

1. Immediate mitigation involves disabling or removing the vulnerable Appointment Booking Calendar plugin until a patched version is released. 2. Monitor official vendor channels and WordPress plugin repositories for security updates and apply patches promptly once available. 3. Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting the 'order' and 'append_where_sql' parameters. 4. Employ strict input validation and sanitization at the application level, ensuring that user-supplied data is never directly concatenated into SQL queries. 5. Use parameterized queries or prepared statements in custom code interacting with the plugin or database to prevent injection. 6. Conduct regular security audits and vulnerability scans focusing on SQL Injection vectors. 7. Restrict database user permissions to the minimum necessary to limit data exposure in case of exploitation. 8. Monitor logs for unusual query patterns or repeated access attempts to the vulnerable parameters. 9. Educate site administrators about the risks and signs of exploitation to enable rapid incident response. These steps collectively reduce the risk of exploitation until an official patch is available.