CVE-2025-12482 is a SQL Injection vulnerability identified in the Amelia Booking for Appointments and Events Calendar plugin for WordPress, affecting all versions up to and including 1.2.35. The vulnerability stems from improper neutralization of special characters in the 'search' parameter, which is used in SQL queries without adequate escaping or prepared statements. This flaw allows unauthenticated attackers to append arbitrary SQL commands to existing queries, enabling them to extract sensitive information from the backend database. The vulnerability does not require any authentication or user interaction, increasing its exploitability. The CVSS v3.1 score of 7.5 reflects a high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed, with a significant impact on confidentiality but no impact on integrity or availability. While no public exploits have been reported yet, the nature of SQL injection vulnerabilities makes them attractive targets for attackers aiming to access sensitive data such as user credentials, personal information, or business records. The vulnerability affects a widely used WordPress plugin that manages appointment and event bookings, which is commonly deployed by businesses and organizations to handle customer scheduling. The lack of an official patch at the time of disclosure necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive customer and business data stored in WordPress databases. Organizations using the Amelia plugin for appointment or event management may face data breaches exposing personal identifiable information (PII), payment details, or internal business data. Such breaches can lead to regulatory non-compliance under GDPR, resulting in substantial fines and reputational damage. The vulnerability's ease of exploitation by unauthenticated attackers increases the likelihood of automated scanning and exploitation attempts, potentially leading to widespread compromise of affected websites. Additionally, compromised sites could be leveraged for further attacks such as phishing or malware distribution. The impact is particularly critical for sectors like healthcare, legal, and financial services in Europe, where appointment data often contains sensitive client information. The disruption caused by data breaches can also affect operational continuity and customer trust.

Immediate mitigation should include disabling or uninstalling the Amelia Booking plugin until a secure patched version is released by the vendor. If disabling is not feasible, restrict access to the vulnerable 'search' parameter by implementing web application firewall (WAF) rules that detect and block SQL injection patterns, especially those targeting the plugin's endpoints. Employ input validation and sanitization at the web server or application firewall level to filter out malicious input. Monitor web server and database logs for unusual query patterns or spikes in failed queries that may indicate exploitation attempts. Limit database user permissions to the minimum necessary to reduce the impact of potential data extraction. Organizations should also ensure regular backups of WordPress sites and databases to enable recovery in case of compromise. Finally, maintain vigilance for vendor updates and apply patches promptly once available.