Booking for Appointments and Events Calendar – Amelia < 2.2.1 – Missing Authorization | CVE 2026-40795 | Plugin Vulnerabilities

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 2.2.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/359aae96-8b6d-4365-b0c1-f0c7220383c9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Niv Kochan

Verified

No

WPVDB ID

406cbf7c-9239-447b-a259-2a0345a1faed

Timeline

Publicly Published

2026-04-28 (about 15 days ago)

Added

2026-05-04 (about 9 days ago)

Last Updated

2026-05-04 (about 9 days ago)

Other

Published

Title

Published

2024-04-22

Title

Flexible Shipping < 4.24.16 - Missing Authorization

Published

2024-12-23

Title

ALL In One Custom Login Page < 7.1.2 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation

Published

2026-01-05

Title

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.6.2 - Missing Authorization to Authenticated (Subscriber+) Information Exposure

Published

2024-04-22

Title

Reviews Plus < 1.3.5 - Missing Authorization to Notice Dismissal

Published

2025-06-04

Title

Icegram Collect – Easy Form, Lead Collection and Subscription plugin < 1.3.19 - Missing Authorization