CVE-2026-4668 identifies a SQL Injection vulnerability in the Amelia Booking for Appointments and Events Calendar WordPress plugin, specifically in versions up to and including 2.1.2. The vulnerability is located in the 'sort' parameter of the payments listing endpoint, where user input is directly interpolated into an SQL ORDER BY clause within the PaymentRepository.php file. Unlike typical SQL parameters, column names in ORDER BY clauses cannot be parameterized using PDO prepared statements, and the plugin fails to implement whitelist validation or proper escaping for this parameter. Furthermore, GET requests to this endpoint bypass Amelia's nonce validation, which normally protects against CSRF attacks, allowing authenticated users with Manager-level privileges (wpamelia-manager role) or higher to exploit this flaw. Exploitation involves appending additional SQL queries via the 'sort' parameter, enabling time-based blind SQL injection attacks that can extract sensitive information from the backend database. Although no public exploits have been reported, the vulnerability poses a significant risk due to the potential for data leakage. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and high confidentiality impact without affecting integrity or availability.

This vulnerability allows authenticated users with Manager-level access or higher to perform SQL Injection attacks, potentially extracting sensitive data such as user information, payment details, or other confidential records stored in the database. While it does not directly affect data integrity or availability, the confidentiality breach can lead to privacy violations, regulatory non-compliance, and reputational damage. Organizations relying on the Amelia plugin for appointment and event management may face data exposure risks, especially if the plugin is used in environments with sensitive customer or financial data. The bypass of nonce validation on GET requests increases the attack surface, making exploitation easier for insiders or compromised accounts. Given the widespread use of WordPress and the popularity of Amelia in small to medium businesses, the vulnerability could impact a broad range of organizations globally. Although exploitation requires authenticated access, compromised credentials or insider threats could leverage this flaw to escalate data breaches.

To mitigate this vulnerability, organizations should immediately update the Amelia plugin to a patched version once available. In the absence of an official patch, administrators should implement strict input validation by enforcing a whitelist of allowed column names for the 'sort' parameter to prevent injection of arbitrary SQL. Additionally, modifying the plugin code to avoid direct interpolation of user input in SQL queries and instead use safe query-building techniques is critical. Enforcing the principle of least privilege by restricting Manager-level access to trusted users reduces the risk of exploitation. Monitoring and logging access to the payments listing endpoint can help detect suspicious activity. Disabling or restricting GET requests to this endpoint or enforcing nonce validation on all request methods can further reduce attack vectors. Regularly auditing user roles and credentials, and employing multi-factor authentication for privileged accounts, will help prevent unauthorized exploitation. Finally, organizations should conduct security assessments and penetration testing to verify the effectiveness of these mitigations.