CVE-2025-12482: 
WordPress 脆弱性の分析と軽減

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-12482) discovered on November 16, 2025. This vulnerability affects all versions up to and including 1.2.35 of the plugin. The vulnerability exists in the 'search' parameter functionality and can be exploited by unauthenticated attackers (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the search functionality (NVD, WordPress Plugin).

The vulnerability allows attackers to append additional SQL queries to existing queries, potentially leading to unauthorized access to sensitive information stored in the database. The impact primarily affects confidentiality (High), while integrity and availability remain unaffected (NVD).

Users are advised to update to version 1.2.36 or later of the Amelia plugin, which contains the security fix. The fix implements proper parameter sanitization and prepared statements for the SQL queries (WordPress Plugin).