{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39487", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:11.682Z", "dateUpdated": "2026-04-08T08:30:11.682Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ameliabooking", "product": "Amelia", "vendor": "ameliabooking", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "2.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.922Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.<p>This issue affects Amelia: from n/a through <= 2.1.1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:11.682Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-2-1-1-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Amelia plugin <= 2.1.1 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1."}], "id": "CVE-2026-39487", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:23.533", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-2-1-1-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Amelia", "source": "cna", "vendor": "ameliabooking"}, "product": "amelia", "vendor": "ameliabooking"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:18:15.355452+00:00", "value": {"mitigation_remediation": ["Upgrade the Amelia plugin to the latest release or to a patched version 2.1.2 or newer", "If an immediate upgrade is not possible, disable the Amelia plugin or restrict access to its endpoints until the patch can be applied", "Take a full backup of the WordPress database and files before applying the upgrade", "Verify site functionality after the upgrade and monitor logs for any anomalous activity"], "summary": {"action": "Immediate Patch", "impact": "SQL injection that may expose or alter database contents"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Amelia booking plugin version 2.1.1 or earlier are affected. Any site that has not updated the plugin past this version falls within the vulnerable scope.", "description_and_impact": "Improper neutralization of special elements in a SQL command leads to blind SQL injection in the Amelia WordPress plugin. This flaw permits an attacker to execute arbitrary SQL statements, potentially reading, modifying, or deleting database records. The impact is loss of confidentiality, integrity, and availability of the site\u2019s booking data, and potentially broader database compromise if the underlying database account has elevated privileges.", "risk_and_exploitability": "The attack vector is likely through web requests to plugin endpoints that accept user\u2011supplied input. No publicly documented exploit code is available, yet the vulnerability is a classic blind SQL injection, suggesting a high severity risk. With no authentication requirement stated, an unauthenticated attacker could exploit the flaw by sending specially crafted requests. Though exploitation may require probing to determine the database schema, the EPSS score is unavailable and the issue is not listed in the KEV catalog. Nonetheless, the potential for data theft or corruption warrants immediate remediation."}}}}, "created": "2026-04-08T19:30:41.181146+00:00", "updated": "2026-04-08T19:43:11.178790+00:00", "vendors": ["ameliabooking", "ameliabooking$PRODUCT$amelia", "wordpress", "wordpress$PRODUCT$wordpress"]}