– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-8781:
This vulnerability is an authenticated SQL injection in the Bookster WordPress Appointment Booking Plugin affecting versions up to and including 2.1.1. The vulnerability exists in the plugin’s REST API endpoints that handle appointment queries, allowing administrators to inject arbitrary SQL via the ‘raw’ parameter. The CVSS score of 4.9 reflects the requirement for administrator-level access, limiting the attack surface to privileged users.

The root cause is insufficient input validation and improper query construction in the AppointmentsService class. The vulnerable code path begins in the query_appointments() method of AppointmentsController.php, which passes user-controlled parameters directly to the appointments_service->query_where_with_info() method. The ‘raw’ parameter from the REST request is incorporated into SQL WHERE clauses without proper sanitization or prepared statement usage. The plugin constructs dynamic SQL queries by concatenating user-supplied ‘raw’ parameter values directly into the query string.

Exploitation requires administrator-level access to the WordPress site. Attackers send authenticated POST requests to the /wp-json/bookster/v1/appointments endpoint with a malicious ‘raw’ parameter in the request body. The payload contains SQL injection syntax that gets appended to existing WHERE clauses in database queries. Example payloads include UNION-based queries to extract data from other tables or time-based blind SQL injection techniques to enumerate database structure and content.

The patch in version 2.2.0 addresses the vulnerability by implementing proper input validation and removing the direct incorporation of user-supplied ‘raw’ parameters into SQL queries. The fix modifies the query construction logic in AppointmentsService.php to use WordPress’s $wpdb->prepare() method for all dynamic query components. The patch also adds parameter type checking and sanitization before any database interaction occurs.

Successful exploitation allows authenticated administrators to execute arbitrary SQL queries on the WordPress database. This can lead to extraction of sensitive information including user credentials, payment details, appointment records, and other plugin data. While administrator access is required, the vulnerability enables privilege persistence and data exfiltration that could compromise the entire WordPress installation and associated systems.