CVE-2025-13385 is a time-based SQL Injection vulnerability identified in the Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress, developed by bylancer. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically via the `filter[status]` parameter. This parameter is used in SQL queries without adequate escaping or parameterization, allowing an authenticated attacker with admin-level privileges to inject malicious SQL code. The injection is time-based, meaning attackers can infer data by measuring response delays, enabling extraction of sensitive database information such as user credentials, appointment details, or other confidential data stored in the backend. The vulnerability affects all versions up to and including 4.2 of the plugin. Exploitation requires no user interaction but does require high privileges (admin or above), limiting the attack surface to compromised or malicious insiders or attackers who have already gained elevated access. The CVSS v3.1 score is 4.9 (medium), reflecting the moderate impact on confidentiality without affecting integrity or availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used by small to medium businesses for appointment scheduling, making the vulnerability relevant to organizations relying on WordPress-based booking systems.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive customer and business data stored within the Bookme plugin's database. Given the plugin’s role in managing appointments, attackers could extract personally identifiable information (PII), appointment schedules, and potentially other confidential business data. This could result in privacy violations under GDPR, reputational damage, and potential regulatory fines. The requirement for admin-level access reduces the risk of external exploitation but increases the threat from insider attacks or attackers who have compromised admin credentials. The lack of impact on integrity and availability means the primary concern is confidentiality breach. Organizations using this plugin in sectors such as healthcare, legal services, or consulting—where appointment data is sensitive—face higher risks. Additionally, the vulnerability could be leveraged as a foothold for further lateral movement within the network if attackers gain admin access.

1. Immediately audit and restrict admin-level access to the WordPress environment and the Bookme plugin to trusted personnel only. 2. Monitor admin account activities for unusual behavior or unauthorized access attempts. 3. Apply principle of least privilege to WordPress users to minimize the number of accounts with admin rights. 4. Until an official patch is released, implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the `filter[status]` parameter. 5. Employ input validation and sanitization at the application level if possible, ensuring that parameters passed to SQL queries are properly escaped or parameterized. 6. Regularly back up the WordPress site and database to enable recovery in case of compromise. 7. Once available, promptly update the Bookme plugin to a patched version that addresses this vulnerability. 8. Conduct security awareness training for administrators to recognize phishing or social engineering attempts that could lead to credential compromise.