Booking for Appointments and Events Calendar – Amelia Premium <= 7.7 and Lite < 1.2.5 – Missing Authorization to Sensitive Information Exposure | CVE 2024-6332 | Plugin Vulnerabilities

Description

The plugins are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version.

Affects Plugins

Fixed in 1.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac1e3ee-4dcc-4f45-ad07-17af750da3d1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nadim Zubidat

Verified

No

WPVDB ID

c465d76a-c8fc-4b8c-855c-fc9a19b7aeca

Timeline

Publicly Published

2024-09-04 (about 1 year ago)

Added

2024-09-04 (about 1 year ago)

Last Updated

2026-01-22 (about 7 days ago)

Other

Published

Title

Published

2025-06-26

Title

DWT < 3.3.7 - Unauthenticated Arbitrary User Password Reset

Published

2024-07-08

Title

LearnDash LMS - Reports Free < 1.8.2.2 - Missing Authorization to Plugin Settings Update

Published

2024-03-29

Title

SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting

Published

2024-03-20

Title

Olive One Click Demo Import < 1.1.2 - Missing Authorization

Published

2024-12-14

Title

Popup Surveys & Polls for WordPress (Mare.io) <= 1.36 - Missing Authorization