CVE-2025-59129 HIGH

CVE-2025-59129: WordPress Appointify plugin <= 1.0.8 - SQL Injection vulnerability

Vendor Appointify

Product Appointify

Weakness CWE-89 · SQLi

Published December 30, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appointify Appointify appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through <= 1.0.8.

Explanation of Vulnerability in Simple Terms

02Summary

Appointify versions 1.0.8 and earlier contain a SQL injection vulnerability in a high-privilege function. An authenticated administrator can inject malicious SQL queries to read sensitive data from the database. The vulnerability requires admin-level access and does not allow data modification, but can expose user information and site configuration details.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site's database by injecting SQL commands.

Potential impact on your site

04Site Impact

An admin account compromise could expose user data, credentials, and site configuration stored in the database.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the Appointify application.

Key dates

06Disclosure timeline

December 30, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59129 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities