WordPress Plugin Vulnerabilities

Amelia 1.2.18 - 1.2.36 - Unauthenticated Sensitive Information Exposure

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 1.2.18 to 1.2.36 via the 'phpinfo' function. This makes it possible for unauthenticated attackers to extract sensitive data including server and environment configurations.

Affects Plugins

Plugin icon
ameliabooking
Fixed in 1.2.37

References

CVE
CVE-2023-49282
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb0f690-c977-43de-a713-9d02ee99ba2e

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
a1096cea-64c3-4660-83a4-c017044c0579

Timeline

Publicly Published
2025-11-18 (about 5 months ago)
Added
2025-11-18 (about 5 months ago)
Last Updated
2026-01-16 (about 3 months ago)

Other

Published
Title
Published
2025-05-01
Title
Yame | Link In Bio <= 0.9.0 - Unauthenticated Information Exposure
Published
2025-07-23
Title
AI Engine < 2.9.5 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions
Published
2025-07-16
Title
JetEngine < 3.7.1.1 - Authenticated (Subscriber+) Information Exposure
Published
2022-10-21
Title
Quiz And Survey Master < 7.3.11 - Sensitive Information Disclosure
Published
2026-03-22
Title
King Addons for Elementor < 51.1.51 - Unauthenticated API Keys Disclosure