CVE-2026-6449
Deferred Deferred - Pending Action

Improper Authorization in Amelia WordPress Plugin

Vulnerability report for CVE-2026-6449, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-07-06
AI Q&A
2026-05-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpamelia amelia to 2.1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress has a vulnerability due to improper authorization in all versions up to and including 2.1.2.

This vulnerability arises from a logical short-circuit flaw in the authorization logic that causes token validation to be completely skipped when a booking is in a 'waiting' status.

As a result, unauthenticated attackers can approve any booking that is in 'waiting' status by sending a specially crafted request to the publicly accessible admin-ajax endpoint.

Impact Analysis

This vulnerability allows unauthenticated attackers to approve bookings without proper authorization.

Such unauthorized approvals could lead to fraudulent bookings or manipulation of appointment schedules.

This could disrupt business operations, cause financial loss, or damage trust with customers relying on the booking system.

Compliance Impact

The vulnerability allows unauthenticated attackers to approve bookings with a 'waiting' status due to improper authorization and token validation bypass.

While the CVE description does not explicitly mention compliance impacts, such unauthorized approval could lead to unauthorized data manipulation or access, potentially affecting data integrity and control.

This could have implications for compliance with standards like GDPR or HIPAA, which require strict access controls and data integrity safeguards, but no direct compliance impact is detailed in the provided information.

Mitigation Strategies

The vulnerability exists in all versions of the Booking for Appointments and Events Calendar – Amelia plugin for WordPress up to and including version 2.1.2. Immediate mitigation steps include updating the plugin to a version later than 2.1.2 where the authorization logic flaw is fixed.

Until an update is applied, restrict access to the publicly-accessible admin-ajax endpoint to trusted users only, as the flaw allows unauthenticated attackers to approve bookings with 'waiting' status by sending crafted requests to this endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart