Booking for Appointments and Events Calendar – Amelia < 2.0.0 – Missing Authorization to Unauthenticated Multiple AJAX Actions | CVE 2025-14720 | Plugin Vulnerabilities

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.

Affects Plugins

Fixed in 2.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

e4f2e26b-2018-4379-92d1-6fe8c9de58a7

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-08 (about 4 months ago)

Last Updated

2026-01-09 (about 4 months ago)

Other

Published

Title

Published

2023-10-03

Title

WP Mail SMTP Pro < 3.8.1 - Unauthenticated Email Address Disclosure

Published

2026-04-23

Title

ACF Galerie 4 < 1.4.3 - Missing Authorization

Published

2026-03-17

Title

Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools < 7.11.3 - Missing Authorization

Published

2024-06-03

Title

Social Link Pages: link-in-bio landing pages for your social media profiles <= 1.6.9 - Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting

Published

2025-05-07

Title

Music Player for WooCommerce < 1.6.0 - Missing Authorization