CVE-2025-46241 Overview
CVE-2025-46241 is a Cross-Site Request Forgery (CSRF) vulnerability in the codepeople Appointment Booking Calendar plugin for WordPress. The flaw chains CSRF with SQL Injection, allowing attackers to execute arbitrary database queries through forged authenticated requests. The vulnerability affects all versions up to and including 1.3.92.
Attackers exploit the issue by tricking authenticated users into loading a malicious page or link. The forged request reaches a vulnerable plugin endpoint that fails to validate CSRF tokens and passes unsanitized input into a SQL query.
Critical Impact
Successful exploitation enables attackers to read, modify, or delete database contents, including WordPress user credentials and session data, leading to full site compromise.
Affected Products
- codepeople Appointment Booking Calendar plugin for WordPress
- All versions from initial release through 1.3.92
- WordPress sites running the vulnerable plugin with authenticated administrator sessions
Discovery Timeline
- 2025-04-22 - CVE-2025-46241 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-46241
Vulnerability Analysis
The vulnerability combines two distinct weaknesses in the Appointment Booking Calendar plugin. The plugin exposes administrative or booking-management endpoints without proper CSRF token validation, classified under [CWE-352]. These endpoints accept parameters that flow into SQL queries without sufficient sanitization or parameterized statement use.
When an authenticated WordPress user with sufficient privileges visits an attacker-controlled page, the browser issues a forged request to the vulnerable endpoint. The plugin processes the request as legitimate because the user's WordPress session cookie is automatically included. The injected SQL payload then executes against the WordPress database with the privileges of the WordPress database user.
Exploitation requires user interaction, as the targeted administrator must visit a malicious page or click a crafted link. The attack vector is network-based and requires no prior authentication on the attacker side.
Root Cause
The root cause is the absence of CSRF nonce verification using WordPress functions such as wp_verify_nonce() or check_admin_referer() on state-changing requests. Combined with this, the plugin concatenates user-supplied input directly into SQL statements rather than using prepared statements through $wpdb->prepare().
Attack Vector
An attacker hosts a webpage containing a hidden form or JavaScript that auto-submits a request to the vulnerable plugin endpoint. When a logged-in WordPress administrator visits the page, the browser transmits the request with valid session cookies. The forged request carries SQL injection payloads in parameters consumed by the plugin's database interaction logic.
No verified public proof-of-concept is currently available. Refer to the Patchstack Vulnerability Report for additional technical details.
Detection Methods for CVE-2025-46241
Indicators of Compromise
- Unexpected POST or GET requests to Appointment Booking Calendar plugin endpoints originating from external Referer headers
- WordPress access logs showing administrator requests to plugin endpoints immediately after visiting unrelated external sites
- Anomalous database queries containing SQL meta-characters such as UNION SELECT, --, OR 1=1, or SLEEP() in plugin parameters
- Unexpected modifications to the wp_users, wp_options, or plugin-specific tables
Detection Strategies
- Inspect web server access logs for plugin endpoints accessed with suspicious referrers or missing nonce parameters
- Enable WordPress database query logging and review queries originating from the Appointment Booking Calendar plugin for injection signatures
- Deploy a Web Application Firewall (WAF) with SQL injection signature detection in front of the WordPress site
- Monitor for new or modified administrative accounts in wp_users that were not provisioned through standard workflows
Monitoring Recommendations
- Alert on outbound HTTP responses from plugin endpoints containing large data volumes that may indicate database exfiltration
- Track administrator login sessions and correlate session activity with external referrer events
- Forward WordPress and web server logs to a centralized analytics platform for cross-correlation with threat intelligence
How to Mitigate CVE-2025-46241
Immediate Actions Required
- Audit all WordPress installations for the Appointment Booking Calendar plugin and identify versions 1.3.92 or earlier
- Deactivate the plugin on affected sites until a patched release is verified and installed
- Force a password reset for all WordPress administrator accounts and rotate any API keys or secrets stored in the database
- Review database contents for unauthorized modifications and restore from clean backups where tampering is confirmed
Patch Information
Review the Patchstack Vulnerability Report for the latest patched version information. Update the plugin through the WordPress admin dashboard or via WP-CLI using wp plugin update appointment-booking-calendar.
Workarounds
- Restrict access to the WordPress administrative interface using IP allowlists at the web server or firewall layer
- Deploy a WAF rule set that enforces SQL injection filtering on requests to /wp-admin/ and plugin endpoints
- Require administrators to use separate browser profiles or sessions for WordPress administration to reduce CSRF exposure
- Enforce short session timeouts and re-authentication for sensitive plugin actions
# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate appointment-booking-calendar
wp plugin status appointment-booking-calendar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
