CVE-2025-8781 is an SQL Injection vulnerability identified in the Bookster – WordPress Appointment Booking Plugin, a widely used plugin for managing appointments on WordPress websites. The vulnerability exists in all versions up to and including 2.1.1 due to improper neutralization of special characters in the 'raw' parameter. Specifically, the plugin fails to adequately escape user-supplied input and does not use prepared statements for SQL queries, allowing an authenticated attacker with Administrator-level access to append arbitrary SQL commands to existing queries. This can be exploited to extract sensitive information from the underlying database, such as user data, credentials, or other confidential records. The attack vector requires network access (remote) and high privileges, but no user interaction is necessary. The CVSS v3.1 base score is 4.9, reflecting medium severity with high confidentiality impact but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a risk to sites that have not updated or mitigated the issue. The lack of prepared statements and insufficient escaping are common causes of SQL Injection, emphasizing the need for secure coding practices in WordPress plugin development.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored within WordPress databases, including personal data protected under GDPR. Since the vulnerability requires Administrator-level access, it is likely to be exploited in scenarios where an attacker has already compromised or gained elevated privileges on the WordPress site. This could lead to data breaches involving customer information, appointment details, and possibly payment or contact information. The confidentiality breach could result in regulatory penalties, reputational damage, and loss of customer trust. However, the vulnerability does not allow modification or deletion of data, nor does it cause denial of service, limiting the scope to data exposure. Organizations relying on Bookster for appointment management, especially in healthcare, legal, or financial sectors, may face increased risk due to the sensitivity of the data handled. The absence of known exploits reduces immediate risk but should not lead to complacency.

European organizations should immediately verify if their WordPress installations use the Bookster plugin version 2.1.1 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should restrict Administrator-level access to trusted personnel only and audit existing admin accounts for suspicious activity. Implementing Web Application Firewalls (WAF) with custom rules to detect and block SQL Injection patterns targeting the 'raw' parameter can provide interim protection. Additionally, organizations should enforce strong authentication mechanisms and monitor logs for unusual database query patterns. Developers maintaining custom integrations with Bookster should review and refactor code to use parameterized queries and proper input validation. Regular backups and incident response plans should be updated to handle potential data exposure incidents. Finally, organizations should subscribe to vulnerability advisories related to WordPress plugins to ensure timely updates.