PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14782 melograno CVE debrief

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Authenticated attackers, with wpamelia-manager role, can append additional SQL queries into already existing queries to extract sensitive information from the database.

Vendor
melograno
Product
Booking for Appointments and Events Calendar – Amelia
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of the Booking for Appointments and Events Calendar – Amelia plugin for WordPress, version 2.4.3 or earlier, should be aware of this SQL Injection vulnerability. Site administrators and security teams should prioritize updating to a patched version and monitor for potential exploitation attempts.

Technical summary

The vulnerability exists in the Customer Import feature of the Amelia plugin for WordPress. An attacker with the wpamelia-manager role can inject malicious SQL by manipulating the user-supplied parameter. This allows them to append additional SQL queries to existing ones, potentially leading to unauthorized data extraction. The issue arises from insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Affected product deployments should be identified in managed environments, and owners should be assigned for follow-up. The official advisory or CVE record should be reviewed to validate affected scope, severity, and vendor guidance. Updates or mitigations should be planned through normal change control where exposure is confirmed. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Relevant monitoring, detection, and logs for exposed assets should be checked, and exceptions should be tracked. Remediated assets should be retested, and the item should only be closed after evidence is documented.

Defensive priority

High priority should be given to updating the Amelia plugin to a version that addresses this SQL Injection vulnerability. Additionally, monitoring database activity for suspicious queries and restricting access to the wpamelia-manager role can help mitigate potential risks.

Recommended defensive actions

  • Update the Amelia plugin to the latest version.
  • Restrict access to the wpamelia-manager role.
  • Monitor database activity for suspicious SQL queries.
  • Implement additional security measures to protect against SQL Injection attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-16T22:16:59.753Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited details are available about the specific exploitation of this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T22:16:59.753Z and has not been modified since then. The NVD entry is currently Received.