WordPress Plugin Vulnerabilities

Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure

Description

The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.

Proof of Concept

Affects Plugins

Plugin icon
ameliabooking
Fixed in 1.0.48

References

CVE
CVE-2022-0837

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Huli from Cymetrics
Submitter
Huli from Cymetrics
Submitter website
https://cymetrics.io
Verified
Yes
WPVDB ID
0882e5c0-f319-4994-9346-aa18438fda6a

Timeline

Publicly Published
2022-03-14 (about 3 years ago)
Added
2022-03-14 (about 3 years ago)
Last Updated
2022-04-17 (about 3 years ago)

Other

Published
Title
Published
2025-10-10
Title
Newsup < 5.0.11 - Missing Authorization to Authenticated (Subscriber+) Plugin Installation
Published
2025-12-05
Title
Formstack Online Forms <= 2.0.2 - Missing Authorization
Published
2025-06-19
Title
Hello FSE Blog <= 1.0.6 - Missing Authorization
Published
2025-01-16
Title
Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-03-31
Title
SP Blog Designer <= 1.0.0 - Unauthenticated Arbitrary Shortcode Execution