Miggo Logo
Miggo Vulnerability Database
CVE-2025-50383

CVE-2025-50383: Easy!Appointments SQL injection vulnerability

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-50383
GHSA ID
GHSA-2f28-69j7-85hf
EPSS Score
0.01215%
CWE
CWE-89
Published
8/26/2025
Updated
8/26/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
alextselegidis/easyappointmentscomposer< 1.5.2-beta.11.5.2-beta.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in multiple models within the Easy!Appointments application. The root cause is the improper handling of the order_by parameter in various get() and search() methods. User-supplied input was directly passed to the order_by() clause of the database query, making it possible for an attacker to inject malicious SQL code. The patch addresses this by escaping the order_by parameter using $this->db->escape(), which neutralizes any special SQL characters and prevents the injection. The widespread nature of this flaw across numerous models indicates a pattern of insecure coding practice that was corrected in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*xts*l**i*is **sy!*ppointm*nts v*.*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** or**r_*y p*r*m*t*r.

Reasoning

T** vuln*r**ility *xists in multipl* mo**ls wit*in t** **sy!*ppointm*nts *ppli**tion. T** root **us* is t** improp*r **n*lin* o* t** `or**r_*y` p*r*m*t*r in v*rious `**t()` *n* `s**r**()` m*t*o*s. Us*r-suppli** input w*s *ir**tly p*ss** to t** `or**r