CVE-2025-13385 identifies a time-based SQL Injection vulnerability in the Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress, affecting all versions up to and including 4.2. The flaw arises from improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping and lack of prepared statements for the user-supplied filter[status] parameter. Authenticated attackers with admin-level privileges can inject additional SQL queries appended to existing ones, enabling them to extract sensitive information from the backend database. The vulnerability does not require user interaction but does require high privileges, limiting the attack surface to trusted users. The CVSS v3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No public exploits are known, and no official patches have been released yet. The vulnerability was reserved and published in November 2025 by Wordfence. The plugin is widely used in WordPress environments for appointment scheduling, making the vulnerability relevant to many small and medium-sized businesses relying on this functionality.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information from the database, which could include user data, appointment details, or other confidential business information. Since the vulnerability requires admin-level access, the risk is somewhat mitigated by the need for high privileges; however, if an attacker compromises an admin account or if insider threats exist, this vulnerability could be exploited to escalate data breaches. The lack of integrity and availability impact means the database contents cannot be altered or deleted via this flaw, but confidentiality breaches alone can lead to regulatory penalties, reputational damage, and loss of customer trust. Organizations using the Bookme plugin in their WordPress sites are at risk, particularly those with weak admin credential management or insufficient monitoring of admin activities. The vulnerability's network accessibility means remote exploitation is possible once admin credentials are obtained, increasing the threat surface.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict admin-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Monitor and audit admin activities and database query logs for unusual or suspicious patterns indicative of SQL Injection attempts. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block time-based SQL Injection payloads targeting the filter[status] parameter. 4) If feasible, temporarily disable or replace the Bookme plugin with alternative scheduling solutions that do not have this vulnerability. 5) Review and harden database permissions to limit data exposure even if SQL Injection occurs. 6) Prepare to apply patches promptly once available and test updates in staging environments before production deployment. 7) Educate administrators about the risks of SQL Injection and the importance of safeguarding credentials.