Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through <= 1.4.2.
Published: 2025-04-16
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw in the WordPress BMA Lite plugin allows attackers to supply specially crafted input that bypasses proper sanitization and is executed by the underlying database. The vulnerability arises from improper neutralization of special elements in SQL commands, enabling the injection of arbitrary SQL statements. Successful exploitation could give an attacker read or write access to the database, potentially leading to the disclosure of sensitive data or alteration of application behavior.

Affected Systems

The flaw is present in all releases of the BMA Lite plugin from RedefiningTheWeb up to and including version 1.4.2. WordPress sites that have this plugin installed and have not applied a newer version are vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 7.6 signals a high severity, while the EPSS score of less than 1 % suggests that exploitation likelihood is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely target the plugin through its public‑facing booking interface, sending crafted parameters that are reflected in dynamic SQL statements. The exploit does not require authentication, meaning anyone with internet access to the site could trigger it.

Generated by OpenCVE AI on April 30, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BMA Lite plugin to a version newer than 1.4.2.
  • If an upgrade is not possible, disable or remove the plugin until a fix is available.
  • Validate all user input to the plugin’s booking interface and enforce the use of parameterized queries or prepared statements.

Generated by OpenCVE AI on April 30, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11340 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite allows SQL Injection. This issue affects BMA Lite: from n/a through 1.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite allows SQL Injection. This issue affects BMA Lite: from n/a through 1.4.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through <= 1.4.2.
Title WordPress BMA Lite <= 1.4.2 - SQL Injection Vulnerability WordPress BMA Lite plugin <= 1.4.2 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite allows SQL Injection. This issue affects BMA Lite: from n/a through 1.4.2.
Title WordPress BMA Lite <= 1.4.2 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.232Z

Reserved: 2025-04-16T06:24:32.683Z

Link: CVE-2025-39518

cve-icon Vulnrichment

Updated: 2025-04-16T13:25:40.685Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:45.377

Modified: 2026-04-23T15:29:42.887

Link: CVE-2025-39518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')