Description
The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-25
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data extraction via SQL injection
Action: Update plugin
AI Analysis

Impact

The Bookme – Free Online Appointment Booking and Scheduling Plugin is vulnerable to a time‑based SQL injection through the filter[status] parameter in all releases up to and including 4.2. The issue stems from insufficient escaping of a user‑supplied value and the lack of prepared statements, allowing authenticated users with administrator or higher privileges to append additional SQL statements to existing queries. This can be used to read sensitive data such as user credentials, booking details, and other private information stored in the database.

Affected Systems

WordPress sites that have installed the bylancer Bookme plugin in any version 4.2 or older. The vulnerable code resides in the admin/Bookings.php file accessed by users with admin or higher roles.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires authentic access with administrator privileges, so an attacker would first need to compromise an admin account or use social engineering to gain such access before injecting malicious SQL via the filter[status] input.

Generated by OpenCVE AI on April 21, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bookme plugin to the latest available version (greater than 4.2).
  • Limit WordPress administrator roles to trusted users only and block the filter[status] endpoint for non‑admin roles where possible.
  • Sanitize the filter[status] parameter on the server side, ensuring it matches only allowed status codes before being incorporated into the SQL query.

Generated by OpenCVE AI on April 21, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Bylancer
Bylancer bookme
Wordpress
Wordpress wordpress
Vendors & Products Bylancer
Bylancer bookme
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Bookme <= 4.2 - Authenticated (Admin+) SQL Injection via 'filter[status]' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Bylancer Bookme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:40.991Z

Reserved: 2025-11-18T21:01:51.304Z

Link: CVE-2025-13385

cve-icon Vulnrichment

Updated: 2025-11-25T14:24:59.734Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:50.630

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses