Booking for Appointments and Events Calendar - Amelia Missing Authorization Vulnerability in AJAX Actions
Vulnerability
A vulnerability exists in the Booking for Appointments and Events Calendar - Amelia WordPress plugin, in all versions through 1.2.38. The issue arises from inadequate capability checks on several AJAX actions, allowing unauthorized access. This vulnerability enables unauthenticated attackers to manipulate payment statuses, such as marking payments as refunded, initiate the sending of queued notifications via email, SMS, or WhatsApp, and access debug information, among other potential actions.
Impact
Exploitation of this vulnerability allows for unauthorized manipulation of payment statuses, including refunding payments, and the unauthorized sending of notifications through various channels, such as email, SMS, or WhatsApp. Additionally, the vulnerability allows access to debug information, which could be exploited for further attacks or to gain additional insights into the application.
Remediation
Users are advised to update the Booking for Appointments and Events Calendar - Amelia plugin to version 2.0.0 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.