CVE-2025-14720
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14720
EUVD
EUVD-2026-1805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpamelia amelia to 1.2.38 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Amelia Booking plugin for WordPress allows unauthenticated attackers to perform unauthorized actions due to missing capability checks on multiple AJAX actions. This means attackers can mark payments as refunded, trigger sending of queued notifications (emails, SMS, WhatsApp), and access debug information without proper authorization.

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate payment statuses (such as marking payments as refunded without authorization), send notifications fraudulently, and access sensitive debug information. This could lead to financial discrepancies, unauthorized communication with customers, and exposure of internal system details.

Detection Guidance

You can detect exploitation attempts by monitoring for unauthorized AJAX requests targeting the Amelia Booking plugin's refund and notification endpoints. Specifically, look for unusual POST requests that attempt to mark payments as refunded or trigger notifications without proper authentication. Additionally, inspecting webhook requests to the SquareRefundWebhookCommandHandler.php endpoint for missing or invalid signature verification can help detect attempts. Commands such as using curl to simulate webhook requests or reviewing web server logs for suspicious POST requests to Amelia plugin AJAX actions can be useful. For example, you might use: curl -X POST -d '{"payment_id":"12345"}' https://yourdomain.com/wp-admin/admin-ajax.php?action=amelia_refund to test if unauthorized refund marking is possible. Also, checking logs with grep for 'admin-ajax.php?action=amelia_' can help identify suspicious activity. [1]

Mitigation Strategies

Immediately update the Amelia Booking plugin to a version later than 1.2.38 where the vulnerability is fixed. The patch includes adding signature verification for webhook requests to ensure authenticity and prevent unauthorized access. If an update is not immediately possible, restrict access to the affected AJAX endpoints by implementing additional authentication or firewall rules to block unauthenticated requests. Monitoring and blocking suspicious requests attempting to mark refunds or trigger notifications can also help mitigate risk until the patch is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart