CVE-2025-13385: Critical Time-Based SQL Injection Vulnerability in Bookme WordPress Plugin

Overview

CVE-2025-13385 details a time-based SQL Injection vulnerability found in the Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress. This vulnerability affects all versions up to, and including, 4.2. Exploitation of this vulnerability allows authenticated attackers with administrative privileges or higher to inject malicious SQL code, potentially leading to sensitive data extraction from the WordPress database.

Technical Details

The vulnerability resides within the `filter[status]` parameter used in the Bookings.php file of the Bookme plugin. Specifically, versions 4.2 and earlier suffer from insufficient input sanitization on the user-supplied `filter[status]` parameter. The lack of proper escaping and insufficient preparation of the SQL query enables attackers to inject arbitrary SQL code. The vulnerable code is located around line 123 in the Bookings.php file.

The attacker can craft a malicious request containing SQL commands within the `filter[status]` parameter. Since the input is not properly sanitized, these commands are directly inserted into the database query, allowing the attacker to execute arbitrary SQL code. The vulnerability is time-based, meaning the attacker can infer information about the database by observing the time it takes for the server to respond to different injected queries. This can be used to exfiltrate sensitive data such as user credentials or other confidential information stored in the WordPress database.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13385 is 4.9 (Medium). The CVSS vector reflects the following characteristics:

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): High (H)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality Impact (C): Low (L)
• Integrity Impact (I): None (N)
• Availability Impact (A): None (N)

While the score is Medium, the vulnerability’s impact can be significant, as it allows attackers to potentially access sensitive information. The ‘High’ attack complexity indicates that successful exploitation requires specialized knowledge and techniques.

Possible Impact

Successful exploitation of this SQL Injection vulnerability could lead to several severe consequences:

• Data Breach: Attackers could extract sensitive data from the WordPress database, including user credentials, customer information, and other confidential data.
• Account Takeover: Stolen user credentials could be used to compromise user accounts, including administrator accounts.
• Further Exploitation: Gaining access to the database could open the door to further exploitation, such as injecting malicious code into the website or using the compromised server as a launching point for other attacks.

Mitigation and Patch Steps

The recommended mitigation is to update the Bookme – Free Online Appointment Booking and Scheduling Plugin to the latest version as soon as it becomes available. Check the WordPress plugin repository for updates. The vendor has not yet released a patch at the time of this writing. Until a patch is released, consider the following temporary mitigation steps:

• Disable the Plugin: Temporarily disabling the Bookme plugin can prevent exploitation of the vulnerability.
• Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with SQL injection protection rules to filter out malicious requests targeting the `filter[status]` parameter.
• Input Validation: If possible, implement input validation on the `filter[status]` parameter to restrict the type of data accepted.