CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
Explanation of Vulnerability in Simple Terms
Amelia Booking for Appointments and Events Calendar versions up to 1.2.38 lack proper authorization checks, allowing unauthenticated attackers to modify booking data. The vulnerability requires no user interaction and is exploitable over the network. Site administrators should update to a version newer than 1.2.38 to prevent unauthorized changes to appointment and event information.
What an attacker can do
Modify booking and appointment data without authentication.
Potential impact on your site
Attackers can alter or corrupt appointment bookings and event calendar entries without logging in.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
