CVE-2025-12482 is an SQL Injection vulnerability classified under CWE-89, affecting the Amelia Booking for Appointments and Events Calendar plugin for WordPress. The vulnerability arises from insufficient escaping and lack of prepared statements in handling the 'search' parameter within SQL queries. This flaw allows unauthenticated attackers to append malicious SQL commands to existing queries, enabling them to extract sensitive information from the backend database. The vulnerability affects all versions up to and including 1.2.35. The CVSS 3.1 base score is 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N). No patches or known exploits are currently reported, but the vulnerability's nature makes it a prime target for exploitation once weaponized. The plugin is widely used for appointment and event management on WordPress sites, making this a significant risk for organizations relying on it for customer-facing services. The vulnerability can be exploited remotely without authentication, increasing its threat level. The lack of input sanitization and failure to use parameterized queries are the root causes. Attackers could leverage this to retrieve sensitive data such as user information, booking details, or other confidential records stored in the database.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive customer and business data, including personally identifiable information (PII), appointment details, and payment information if stored in the database. This could result in reputational damage, regulatory fines under GDPR for data breaches, and loss of customer trust. Since the vulnerability does not affect data integrity or availability, direct service disruption or data manipulation is less likely; however, the confidentiality breach alone is critical. Organizations in sectors such as healthcare, legal, education, and professional services that use Amelia for scheduling are particularly vulnerable. The ease of exploitation without authentication increases the risk of automated scanning and mass exploitation campaigns targeting European WordPress sites. Data exfiltration could also aid further attacks, such as phishing or identity theft, amplifying the overall impact.

1. Immediately audit all WordPress sites using the Amelia Booking plugin to identify affected versions (up to 1.2.35). 2. Disable the plugin temporarily if patching is not yet available to prevent exploitation. 3. Monitor official Amelia and WordPress plugin repositories for security updates and apply patches promptly once released. 4. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'search' parameter, using signature-based and anomaly detection methods. 5. Conduct regular security assessments and code reviews for customizations involving database queries to ensure proper use of parameterized queries and input validation. 6. Limit database user permissions associated with the WordPress application to minimize data exposure in case of compromise. 7. Enable logging and alerting for suspicious query patterns or repeated failed attempts to exploit the vulnerability. 8. Educate site administrators on the risks of using outdated plugins and the importance of timely updates. 9. Consider deploying runtime application self-protection (RASP) tools that can detect and block injection attacks in real-time. 10. Backup databases regularly and securely to enable recovery if data exfiltration or corruption occurs.