Two CVEs affecting the Amelia Booking plugin for WordPress are present under SQL injection (CWE-89) in the broader batch. No active exploitation evidence was present in source data. WordPress plugin SQL injection vulnerabilities are routinely mass-exploited via automated scanning; organizations running Amelia Booking on internet-facing WordPress sites should treat these as high-urgency within their web application patch cycle. Verify affected plugin versions and apply updates via the WordPress plugin repository or your WordPress management tooling.