CVE-2025-12166 identifies a blind SQL Injection vulnerability in the 'Appointment Booking Calendar — Simply Schedule Appointments Booking' WordPress plugin developed by croixhaug. The flaw exists in all versions up to and including 1.6.9.9, where the plugin fails to properly sanitize and escape user-supplied input in the 'order' and 'append_where_sql' parameters. These parameters are incorporated directly into SQL queries without adequate preparation or parameterization, allowing attackers to append arbitrary SQL commands. Because the vulnerability is blind SQL Injection, attackers cannot see immediate query results but can infer data through timing or boolean-based techniques. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The impact is primarily on confidentiality, as attackers can extract sensitive database information such as user data, appointment details, or configuration settings. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 score of 7.5 reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant given the plugin’s usage in WordPress sites worldwide.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed through the affected WordPress plugin. Appointment booking systems often store personal identifiable information (PII), contact details, and scheduling data, which if exfiltrated, could lead to privacy violations and regulatory non-compliance under GDPR. The ability for unauthenticated attackers to remotely extract data without detection increases the threat level. Organizations relying on this plugin for customer-facing services may face reputational damage and potential legal consequences if data breaches occur. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if attackers gain insights into backend database structures. The lack of known exploits suggests a window for proactive mitigation, but the widespread use of WordPress and this plugin in European SMEs and service providers amplifies the potential impact.

1. Immediate action should be to monitor for plugin updates from the vendor croixhaug and apply patches as soon as they become available. 2. Until an official patch is released, disable or remove the vulnerable plugin from WordPress installations to eliminate exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'order' and 'append_where_sql' parameters. 4. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters influencing SQL queries. 5. Where possible, migrate to alternative appointment booking plugins with a strong security track record. 6. Review and harden database user permissions to limit the impact of potential SQL injection exploitation. 7. Enable detailed logging and monitoring to detect anomalous query patterns indicative of blind SQL injection attempts. 8. Educate site administrators on the risks of outdated plugins and enforce strict plugin update policies. 9. Perform regular vulnerability scans and penetration tests focusing on WordPress plugins to identify similar issues proactively.