Booking for Appointments and Events Calendar – Amelia < 1.2.20 – Unauthenticated Full Path Disclosure | CVE 2025-2578 | Plugin Vulnerabilities

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Affects Plugins

Fixed in 1.2.20

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6806e07b-96bf-43ad-a3ac-2105e7449e3c

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

zhuxuan wu

Verified

No

WPVDB ID

5849a426-27eb-40d7-85f4-328a27305ab6

Timeline

Publicly Published

2025-03-27 (about 1 year ago)

Added

2025-03-27 (about 1 year ago)

Last Updated

2025-03-28 (about 1 year ago)

Other

Published

Title

Published

2024-08-09

Title

myCred < 2.7.3 - Unauthenticated Information Exposure

Published

2025-12-08

Title

AI CoPilot < 1.2.8 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2026-03-18

Title

Download Manager < 3.3.50 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter

Published

2024-08-08

Title

affiliate-toolkit < 3.6 - Unauthenticated Full Path Dislcosure

Published

2026-01-21

Title

Salon booking system < 10.30.4 - Authenticated (Subscriber+) Information Exposure