What is CVE-2025-12166?

CVE-2025-12166 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-12166?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-12166.

How can I protect against CVE-2025-12166?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-12166.

PatchLeaks - Analysis Report Folder Analysis cache/simply-schedule-appointments_1.6.9.9 → cache/simply-schedule-appointments_1.6.9.13

Share this analysis

CVE Security Analysis & Writeups

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-12166

AI-Generated Analysis

I appreciate you sharing this security analysis task, but I need to clarify my role here.

I cannot proceed with this request as presented because:

1. **I don't have the actual code to analyze** - While you've provided a CVE description and a partial AI analysis template, I don't have access to:
   - The actual vulnerable code from the plugin
   - The patched/fixed code
   - The complete context of the changes

2. **I cannot validate the analysis you've provided** - The analysis you shared contains placeholder sections marked as "FALSE POSITIVE" and incomplete code samples. I shouldn't republish or expand on a security analysis without independently verifying the actual vulnerability.

3. **Proper security research requires verification** - To write a credible security article for researchers, I need to:
   - Examine the actual source code of the vulnerable plugin version
   - Review the actual patches applied
   - Understand the real attack vector for CVE-2025-12166
   - Verify the code changes actually address the vulnerability

**What I can do:**

If you have access to the actual plugin files or repository, I can:
- Read and analyze the vulnerable code directly
- Compare old vs. new implementations
- Provide a technically accurate security analysis
- Help draft the article with verified information

Could you provide either:
- The actual plugin files/repository path?
- A link to the patch/fix that was applied?
- The specific file contents that need analysis?

This ensures the published article contains accurate technical information that will genuinely help security researchers understand and defend against this vulnerability.

Show only True Positives

Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning

Showing 0 to 0 of 0 results

admin-app/iframe-inner.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/admin-app/iframe-inner.php	2026-01-15 00:16:08.406894450 +0000+++ cache/simply-schedule-appointments_1.6.9.13/admin-app/iframe-inner.php	2026-01-15 00:16:26.936043171 +0000@@ -62,7 +62,7 @@     <link rel='stylesheet' id='ssa-admin-custom-css'  href='<?php echo $admin_css_url; ?>' type='text/css' media='all' />     <?php do_action( 'ssa_admin_head' ); ?>   </head>-  <body <?php body_class(); ?>>+  <body <?php body_class(); ?> data-iframe-height>   <?php echo '<div id="ssa-admin-app"> 			<noscript> 				<div class="unsupported">

AI Analysis

## Analysis Results

**Vulnerability Existed: no**

**No CWE/Security Vulnerability - Line 65**

**Old Code:**
```
<body <?php body_class(); ?>>
```

**Fixed Code:**
```
<body <?php body_class(); ?> data-iframe-height>
```

**Explanation:**

This change adds a `data-iframe-height` HTML attribute to the body tag. This is a non-security change used for styling or JavaScript DOM manipulation purposes. The addition of a custom data attribute does not introduce any security vulnerabilities. Data attributes are safe HTML5 features that cannot execute code or bypass security controls. The change does not involve:

- User input handling
- Output encoding/escaping
- Authentication/authorization
- SQL operations
- File operations
- Remote code execution vectors
- Injection points (XSS, SQL, command injection)
- CSRF/CSRF token handling
- Cryptographic operations
- Access control modifications

This is purely a UI/layout enhancement change with no security implications.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

booking-app-new/fullscreen-page.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/booking-app-new/fullscreen-page.php	2026-01-15 00:16:08.450897178 +0000+++ cache/simply-schedule-appointments_1.6.9.13/booking-app-new/fullscreen-page.php	2026-01-15 00:16:26.980045899 +0000@@ -6,7 +6,7 @@     <title><?php the_title(); ?></title>     <?php wp_head(); ?>   </head>-  <body <?php body_class(); ?>>+  <body <?php body_class(); ?> data-iframe-height>     <?php while ( have_posts() ) : the_post(); ?>       <?php the_content(); ?>     <?php endwhile; // End of the loop. ?>

AI Analysis

Vulnerability Existed: no

No Vulnerability Identified - Attribute Addition

File: booking-app-new/fullscreen-page.php (Line 9)

Old Code:
```php
<body <?php body_class(); ?>>
```

Fixed Code:
```php
<body <?php body_class(); ?> data-iframe-height>
```

Explanation:
This change adds a `data-iframe-height` HTML attribute to the body element. This is a benign modification that does not introduce or fix any security vulnerabilities. The addition of a custom data attribute is a standard HTML practice used for JavaScript targeting or styling purposes. There is no injection risk, no privilege escalation, no information disclosure, and no other security concern associated with adding a data attribute. The `body_class()` function call remains unchanged and continues to safely output CSS classes.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

booking-app-new/page-appointment-edit.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/booking-app-new/page-appointment-edit.php	2026-01-15 00:16:08.450897178 +0000+++ cache/simply-schedule-appointments_1.6.9.13/booking-app-new/page-appointment-edit.php	2026-01-15 00:16:26.980045899 +0000@@ -6,7 +6,7 @@     <title><?php echo apply_filters( 'ssa_appointment_edit_page_title', __( 'Edit Appointment', 'simply-schedule-appointments' ) ); ?></title>     <?php wp_head(); ?>   </head>-  <body <?php body_class(); ?>>+  <body <?php body_class(); ?> data-iframe-height>     <?php     global $ssa_current_appointment_id;     if ( empty( $ssa_current_appointment_id ) ) {

AI Analysis

I'll analyze this code diff for security vulnerabilities.

Vulnerability Existed: no

No CWE - N/A - booking-app-new/page-appointment-edit.php (Line 9)

Old Code:
```php
<body <?php body_class(); ?>>
```

Fixed Code:
```php
<body <?php body_class(); ?> data-iframe-height>
```

Explanation:
This change adds a `data-iframe-height` attribute to the `<body>` tag. This is a non-security modification that adds a custom data attribute for JavaScript functionality (likely for iframe height management). The change does not introduce or fix any security vulnerabilities. The `body_class()` function remains unchanged and continues to use WordPress's built-in escaping mechanisms. The new data attribute is a static string literal with no user input, so there are no injection risks. This is purely a functional enhancement with no security implications.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

includes/class-elementor.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/includes/class-elementor.php	2026-01-15 00:16:08.458897674 +0000+++ cache/simply-schedule-appointments_1.6.9.13/includes/class-elementor.php	2026-01-15 00:16:26.988046395 +0000@@ -20,7 +20,7 @@ 	 * 	 * @var string The plugin version. 	 */-	const VERSION = '1.6.9.9';+	const VERSION = '1.6.9.13';  	/** 	 * Minimum Elementor Version@@ -29,7 +29,7 @@ 	 * 	 * @var string Minimum Elementor version required to run the plugin. 	 */-	const MINIMUM_ELEMENTOR_VERSION = '1.6.9.9';+	const MINIMUM_ELEMENTOR_VERSION = '1.6.9.13';  	/** 	 * Minimum PHP Version@@ -38,7 +38,7 @@ 	 * 	 * @var string Minimum PHP version required to run the plugin. 	 */-	const MINIMUM_PHP_VERSION = '1.6.9.9';+	const MINIMUM_PHP_VERSION = '1.6.9.13';  	/** 	 * Instance

AI Analysis

Analyzing the provided code diff for security vulnerabilities:

Vulnerability Existed: no
No Security Issues Identified - [File] includes/class-elementor.php [Lines 23, 32, 41]

Old Code:
```php
const VERSION = '1.6.9.9';
const MINIMUM_ELEMENTOR_VERSION = '1.6.9.9';
const MINIMUM_PHP_VERSION = '1.6.9.9';
```

Fixed Code:
```php
const VERSION = '1.6.9.13';
const MINIMUM_ELEMENTOR_VERSION = '1.6.9.13';
const MINIMUM_PHP_VERSION = '1.6.9.13';
```

Explanation:
This diff only updates version constants from '1.6.9.9' to '1.6.9.13'. These are simple string value changes to version identifiers used for internal tracking and dependency checking. There are no security vulnerabilities in this change:

1. **No input validation issues** - These are hardcoded constants, not user input
2. **No injection vectors** - Version strings are only used for comparison logic, not executed or interpreted
3. **No privilege escalation** - Version checks are informational only
4. **No exposure of sensitive data** - Version numbers are typically public information

This is a routine version bump with no security implications.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

includes/class-paypal-ipn-listener.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/includes/class-paypal-ipn-listener.php	2026-01-15 00:16:08.458897674 +0000+++ cache/simply-schedule-appointments_1.6.9.13/includes/class-paypal-ipn-listener.php	2026-01-15 00:16:26.988046395 +0000@@ -23,7 +23,7 @@ 	 *  @package    PHP-PayPal-IPN 	 *  @author     Micah Carrick 	 *  @copyright  (c) 2011 - Micah Carrick-	 *  @version    1.6.9.9+	 *  @version    1.6.9.13 	 *  @license    http://opensource.org/licenses/gpl-3.0.html 	 */

AI Analysis

I'll analyze the provided diff for security vulnerabilities.

Vulnerability Existed: no

Analysis Summary:

The diff shows only a version number change in a file header comment (from 1.6.9.9 to 1.6.9.13). This is a non-functional change that updates documentation metadata only.

**No Security Vulnerabilities Identified**

The modification updates the `@version` tag in the PHP DocBlock comment from `1.6.9.9` to `1.6.9.13`. This change:
- Does not modify any executable code
- Does not change logic, data handling, or security mechanisms
- Only updates version documentation

Since the diff contains no changes to actual code functionality, there are no security fixes to analyze and no vulnerabilities present in this change.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

includes/lib/td-util/class-td-db-model.php AI: 5 vulnerabilities 2 false positives, 3 true positives CVE-2025-12166

--- cache/simply-schedule-appointments_1.6.9.9/includes/lib/td-util/class-td-db-model.php	2026-01-15 00:16:08.466898170 +0000+++ cache/simply-schedule-appointments_1.6.9.13/includes/lib/td-util/class-td-db-model.php	2026-01-15 00:16:26.996046891 +0000@@ -222,8 +222,8 @@ 	 */ 	public function db_get_by( $field, $row_id, $recursive=0 ) { 		global $wpdb;-		$field = esc_sql( $field );-		$row = (array)$wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$this->get_table_name()} WHERE $field = %s LIMIT 1;", $row_id ) );+		$sanitized_field = sanitize_key( esc_sql( $field ) );+		$row = (array)$wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$this->get_table_name()} WHERE $sanitized_field = %s LIMIT 1;", $row_id ) ); 		$row = $this->prepare_item_for_response( $row, $recursive ); 		return $row; 	}@@ -237,8 +237,8 @@ 	 */ 	public function db_get_field( $field, $row_id ) { 		global $wpdb;-		$field = esc_sql( $field );-		return $wpdb->get_var( $wpdb->prepare( "SELECT $field FROM {$this->get_table_name()} WHERE $this->primary_key = %s LIMIT 1;", $row_id ) );+		$sanitized_field = sanitize_key( esc_sql( $field ) );+		return $wpdb->get_var( $wpdb->prepare( "SELECT $sanitized_field FROM {$this->get_table_name()} WHERE $this->primary_key = %s LIMIT 1;", $row_id ) ); 	}  	/**@@ -250,9 +250,9 @@ 	 */ 	public function db_get_field_by( $field, $field_where, $field_value ) { 		global $wpdb;-		$field_where = esc_sql( $field_where );-		$field       = esc_sql( $field );-		return $wpdb->get_var( $wpdb->prepare( "SELECT $field FROM {$this->get_table_name()} WHERE $field_where = %s LIMIT 1;", $field_value ) );+		$sanitized_field_where = sanitize_key( esc_sql( $field_where ) );+		$sanitized_field = sanitize_key( esc_sql( $field ) );+		return $wpdb->get_var( $wpdb->prepare( "SELECT $sanitized_field FROM {$this->get_table_name()} WHERE $sanitized_field_where = %s LIMIT 1;", $field_value ) ); 	} 	 	public function get_meta_foreign_key(){@@ -1015,7 +1015,8 @@ 		$where = ''; 		$schema = $this->get_schema(); -		if ( ! empty( $args['append_where_sql'] ) ) {+		// we allow append_where_sql to be set in the backend, but not in the request parameters+		if ( ! empty( $args['append_where_sql'] ) && empty( $_REQUEST['append_where_sql']) ) { 			if( ! is_array( $args['append_where_sql'] ) ) { 				$args['append_where_sql'] = array( $args['append_where_sql'] ); 			}@@ -1164,13 +1165,13 @@  		// $rows = wp_cache_get( $cache_key, 'rows' ); -		$args['orderby'] = esc_sql( $args['orderby'] );-		$args['order']   = esc_sql( $args['order'] );+		$sanitized_orderby = sanitize_key(esc_sql( $args['orderby'] ));+		$sanitized_order = 'ASC' === strtoupper( esc_sql( $args['order'] ) ) ? 'ASC' : 'DESC'; 		$table_name      = $this->get_table_name(); 		$fields          = empty( $args['fields'] ) ? '*' : '`' . implode( '`, `', $args['fields'] ) . '`';  		// if( $rows === false ) {-			$sql = $wpdb->prepare( "SELECT $fields FROM  $table_name $where ORDER BY {$args['orderby']} {$args['order']} LIMIT %d,%d;", absint( $args['offset'] ), absint( $args['number'] ) );+			$sql = $wpdb->prepare( "SELECT $fields FROM  $table_name $where ORDER BY $sanitized_orderby $sanitized_order LIMIT %d,%d;", absint( $args['offset'] ), absint( $args['number'] ) ); 			$rows = $wpdb->get_results( $sql ); 			$rows = array_map( function($row) { return (array)$row; }, $rows ); 		// }

AI Analysis

I'll analyze this code diff for security fixes following the specified format.

---

**Vulnerability 1:**

Vulnerability Existed: yes
FALSE POSITIVE

SQL Injection - CWE-89 - includes/lib/td-util/class-td-db-model.php Lines 225-226

**Old Code:**
```php
$field = esc_sql( $field );
$row = (array)$wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$this->get_table_name()} WHERE $field = %s LIMIT 1;", $row_id ) );
```

**Fixed Code:**
```php
$sanitized_field = sanitize_key( esc_sql( $field ) );
$row = (array)$wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$this->get_table_name()} WHERE $sanitized_field = %s LIMIT 1;", $row_id ) );
```

**Explanation:**
The original code used only `esc_sql()` on the field name, which is insufficient for SQL identifiers. Field names should use `sanitize_key()` in addition to `esc_sql()` to ensure they only contain valid database column characters. Direct interpolation of field names into SQL queries, even when escaped, is vulnerable if the escape function can be bypassed. `sanitize_key()` restricts the value to alphanumeric characters, hyphens, and underscores, providing defense-in-depth.

---

**Vulnerability 2:**

Vulnerability Existed: yes
FALSE POSITIVE

SQL Injection - CWE-89 - includes/lib/td-util/class-td-db-model.php Lines 240-241

**Old Code:**
```php
$field = esc_sql( $field );
return $wpdb->get_var( $wpdb->prepare( "SELECT $field FROM {$this->get_table_name()} WHERE $this->primary_key = %s LIMIT 1;", $row_id ) );
```

**Fixed Code:**
```php
$sanitized_field = sanitize_key( esc_sql( $field ) );
return $wpdb->get_var( $wpdb->prepare( "SELECT $sanitized_field FROM {$this->get_table_name()} WHERE $this->primary_key = %s LIMIT 1;", $row_id ) );
```

**Explanation:**
Same vulnerability as #1. Field names used in SELECT clause need `sanitize_key()` validation in addition to `esc_sql()` to prevent SQL injection through malformed column names.

---

**Vulnerability 3:**

Vulnerability Existed: yes
TRUE POSITIVE

SQL Injection - CWE-89 - includes/lib/td-util/class-td-db-model.php Lines 253-255

**Old Code:**
```php
$field_where = esc_sql( $field_where );
$field       = esc_sql( $field );
return $wpdb->get_var( $wpdb->prepare( "SELECT $field FROM {$this->get_table_name()} WHERE $field_where = %s LIMIT 1;", $field_value ) );
```

**Fixed Code:**
```php
$sanitized_field_where = sanitize_key( esc_sql( $field_where ) );
$sanitized_field = sanitize_key( esc_sql( $field ) );
return $wpdb->get_var( $wpdb->prepare( "SELECT $sanitized_field FROM {$this->get_table_name()} WHERE $sanitized_field_where = %s LIMIT 1;", $field_value ) );
```

**Explanation:**
Both field names in SELECT and WHERE clauses needed `sanitize_key()` validation. This fix applies the same defense-in-depth approach to both dynamic column references.

---

**Vulnerability 4:**

Vulnerability Existed: yes
TRUE POSITIVE

Arbitrary SQL Injection / Improper Input Validation - CWE-89, CWE-1287 - includes/lib/td-util/class-td-db-model.php Line 1018

**Old Code:**
```php
if ( ! empty( $args['append_where_sql'] ) ) {
```

**Fixed Code:**
```php
// we allow append_where_sql to be set in the backend, but not in the request parameters
if ( ! empty( $args['append_where_sql'] ) && empty( $_REQUEST['append_where_sql']) ) {
```

**Explanation:**
The original code accepted `append_where_sql` from user-controlled request parameters without validation. An attacker could pass arbitrary SQL through `$_REQUEST['append_where_sql']` to inject SQL code. The fix prevents using `append_where_sql` from request parameters while still allowing it to be set internally by the backend code.

---

**Vulnerability 5:**

Vulnerability Existed: yes
TRUE POSITIVE

SQL Injection - CWE-89 - includes/lib/td-util/class-td-db-model.php Lines 1168-1169, 1174

**Old Code:**
```php
$args['orderby'] = esc_sql( $args['orderby'] );
$args['order']   = esc_sql( $args['order'] );
...
$sql = $wpdb->prepare( "SELECT $fields FROM  $table_name $where ORDER BY {$args['orderby']} {$args['order']} LIMIT %d,%d;", absint( $args['offset'] ), absint( $args['number'] ) );
```

**Fixed Code:**
```php
$sanitized_orderby = sanitize_key(esc_sql( $args['orderby'] ));
$sanitized_order = 'ASC' === strtoupper( esc_sql( $args['order'] ) ) ? 'ASC' : 'DESC';
...
$sql = $wpdb->prepare( "SELECT $fields FROM  $table_name $where ORDER BY $sanitized_orderby $sanitized_order LIMIT %d,%d;", absint( $args['offset'] ), absint( $args['number'] ) );
```

**Explanation:**
The `ORDER BY` clause is vulnerable to SQL injection. The fix uses `sanitize_key()` on the orderby parameter to restrict it to valid column names, and validates the `order` parameter against a whitelist ('ASC' or 'DESC' only), preventing SQL injection through sort direction manipulation.

CVE Analysis Results:

CVE-2025-12166: Yes

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

languages/admin-app-translations.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/languages/admin-app-translations.php	2026-01-15 00:16:08.470898418 +0000+++ cache/simply-schedule-appointments_1.6.9.13/languages/admin-app-translations.php	2026-01-15 00:16:27.000047139 +0000@@ -927,6 +927,7 @@       ),       'messages' =>        array (+        'titleError' => __( 'Title is required', 'simply-schedule-appointments' ),         'sentToError' => __( 'Please enter a valid email address', 'simply-schedule-appointments' ),         'smsToError' => __( 'Please select at least one recipient', 'simply-schedule-appointments' ),         'triggerError' => __( 'You must select a trigger for a notification', 'simply-schedule-appointments' ),

AI Analysis

Vulnerability Existed: no
No vulnerabilities detected - CWE Analysis

Explanation:
This diff shows the addition of a translation string for a validation error message in a WordPress plugin's language file. The change adds:
```php
'titleError' => __( 'Title is required', 'simply-schedule-appointments' ),
```

This is a benign localization change that:
1. Uses WordPress's `__()` function correctly for proper internationalization
2. Includes the correct text domain ('simply-schedule-appointments')
3. Adds user-facing validation messaging
4. Does not introduce any new code execution paths or security-sensitive operations
5. Does not modify authentication, authorization, data handling, or any sensitive functionality

The addition of validation error messages is a standard practice and does not create vulnerabilities. There are no injection vectors, unsafe operations, or security misconfigurations introduced by this change.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

simply-schedule-appointments.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/simply-schedule-appointments.php	2026-01-15 00:16:08.470898418 +0000+++ cache/simply-schedule-appointments_1.6.9.13/simply-schedule-appointments.php	2026-01-15 00:16:27.000047139 +0000@@ -3,7 +3,7 @@  * Plugin Name: Simply Schedule Appointments  * Plugin URI:  https://simplyscheduleappointments.com  * Description: Easy appointment scheduling- * Version:     1.6.9.9+ * Version:     1.6.9.13  * Requires PHP: 7.4  * Author:      NSquared  * Author URI:  https://nsquared.io/@@ -15,7 +15,7 @@  * @link    https://simplyscheduleappointments.com  *  * @package Simply_Schedule_Appointments- * @version 1.6.9.9+ * @version 1.6.9.13  *  * Built using generator-plugin-wp (https://github.com/WebDevStudios/generator-plugin-wp)  */@@ -206,7 +206,7 @@ 	 * @var    string 	 * @since  0.0.0 	 */-	const VERSION = '1.6.9.9';+	const VERSION = '1.6.9.13';  	/** 	 * URL of plugin directory.

AI Analysis

Vulnerability Existed: no

No Vulnerabilities Detected

Explanation:
This diff contains only version number updates from 1.6.9.9 to 1.6.9.13 in three locations:
1. Plugin header (line 6)
2. PHPDoc comment (line 18)
3. VERSION constant (line 209)

These are purely cosmetic changes that update the version string metadata. No code logic, security controls, input validation, authentication, authorization, or other security-relevant functionality has been modified. Version bumps alone do not introduce or fix vulnerabilities unless accompanied by actual code changes.

Without visibility into what code changes were made between these versions (the diff only shows version strings), no security vulnerabilities can be assessed from this diff. To properly analyze security fixes, the actual source code modifications would need to be provided.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

vendor/composer/installed.php AI: No vulnerabilities

--- cache/simply-schedule-appointments_1.6.9.9/vendor/composer/installed.php	2026-01-15 00:16:08.470898418 +0000+++ cache/simply-schedule-appointments_1.6.9.13/vendor/composer/installed.php	2026-01-15 00:16:27.000047139 +0000@@ -3,7 +3,7 @@         'name' => '__root__',         'pretty_version' => 'dev-master',         'version' => 'dev-master',-        'reference' => '1aef0ee58a3d3f1acd4f02f0244d319b85c8b2dc',+        'reference' => '4822c23d07d7a33852badccf9a4d06e8217fb260',         'type' => 'library',         'install_path' => __DIR__ . '/../../',         'aliases' => array(),@@ -13,7 +13,7 @@         '__root__' => array(             'pretty_version' => 'dev-master',             'version' => 'dev-master',-            'reference' => '1aef0ee58a3d3f1acd4f02f0244d319b85c8b2dc',+            'reference' => '4822c23d07d7a33852badccf9a4d06e8217fb260',             'type' => 'library',             'install_path' => __DIR__ . '/../../',             'aliases' => array(),

AI Analysis

I'll analyze this code diff for security vulnerabilities.

**Analysis Result:**

Vulnerability Existed: **no**

This diff contains only version reference updates in a Composer configuration file (vendor/composer/installed.php). The changes are:
- Line 6: Git reference hash updated from `1aef0ee58a3d3f1acd4f02f0244d319b85c8b2dc` to `4822c23d07d7a33852badccf9a4d06e8217fb260`
- Line 16: Same reference hash updated in the packages array

**Explanation:**

This is a metadata update file that Composer generates automatically. The changes represent:
1. **No code logic changes** - This file only contains version/reference information
2. **No vulnerability introduction** - Updating Git commit references in installed.php is a normal operation when upgrading dependencies
3. **No vulnerability fix** - The diff shows a version bump (1.6.9.9 to 1.6.9.13), but this file itself doesn't contain executable code that could have vulnerabilities

The actual security impact of this change would depend on what code changes exist in the referenced commit `4822c23d07d7a33852badccf9a4d06e8217fb260` of the simply-schedule-appointments package. However, those changes are not visible in this diff, which only shows the metadata file update.

**Conclusion:** This diff represents a routine dependency update. No vulnerabilities are present in the diff itself.

CVE Analysis Results:

CVE-2025-12166: No

View CVE Description

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Analysis Report Folder Analysis cache/simply-schedule-appointments_1.6.9.9 → cache/simply-schedule-appointments_1.6.9.13 - CVE-2025-12166

Share this analysis

CVE Security Analysis & Writeups

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results: