CVE-2025-14720
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpamelia | amelia | to 1.2.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Amelia Booking plugin for WordPress allows unauthenticated attackers to perform unauthorized actions due to missing capability checks on multiple AJAX actions. This means attackers can mark payments as refunded, trigger sending of queued notifications (emails, SMS, WhatsApp), and access debug information without proper authorization.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate payment statuses (such as marking payments as refunded without authorization), send notifications fraudulently, and access sensitive debug information. This could lead to financial discrepancies, unauthorized communication with customers, and exposure of internal system details.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect exploitation attempts by monitoring for unauthorized AJAX requests targeting the Amelia Booking plugin's refund and notification endpoints. Specifically, look for unusual POST requests that attempt to mark payments as refunded or trigger notifications without proper authentication. Additionally, inspecting webhook requests to the SquareRefundWebhookCommandHandler.php endpoint for missing or invalid signature verification can help detect attempts. Commands such as using curl to simulate webhook requests or reviewing web server logs for suspicious POST requests to Amelia plugin AJAX actions can be useful. For example, you might use: curl -X POST -d '{"payment_id":"12345"}' https://yourdomain.com/wp-admin/admin-ajax.php?action=amelia_refund to test if unauthorized refund marking is possible. Also, checking logs with grep for 'admin-ajax.php?action=amelia_' can help identify suspicious activity. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediately update the Amelia Booking plugin to a version later than 1.2.38 where the vulnerability is fixed. The patch includes adding signature verification for webhook requests to ensure authenticity and prevent unauthorized access. If an update is not immediately possible, restrict access to the affected AJAX endpoints by implementing additional authentication or firewall rules to block unauthenticated requests. Monitoring and blocking suspicious requests attempting to mark refunds or trigger notifications can also help mitigate risk until the patch is applied. [1]