CVE-2026-6449
Improper Authorization in Amelia WordPress Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpamelia | amelia | to 2.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Booking for Appointments and Events Calendar β Amelia plugin for WordPress has a vulnerability due to improper authorization in all versions up to and including 2.1.2.
This vulnerability arises from a logical short-circuit flaw in the authorization logic that causes token validation to be completely skipped when a booking is in a 'waiting' status.
As a result, unauthenticated attackers can approve any booking that is in 'waiting' status by sending a specially crafted request to the publicly accessible admin-ajax endpoint.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to approve bookings without proper authorization.
Such unauthorized approvals could lead to fraudulent bookings or manipulation of appointment schedules.
This could disrupt business operations, cause financial loss, or damage trust with customers relying on the booking system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to approve bookings with a 'waiting' status due to improper authorization and token validation bypass.
While the CVE description does not explicitly mention compliance impacts, such unauthorized approval could lead to unauthorized data manipulation or access, potentially affecting data integrity and control.
This could have implications for compliance with standards like GDPR or HIPAA, which require strict access controls and data integrity safeguards, but no direct compliance impact is detailed in the provided information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in all versions of the Booking for Appointments and Events Calendar β Amelia plugin for WordPress up to and including version 2.1.2. Immediate mitigation steps include updating the plugin to a version later than 2.1.2 where the authorization logic flaw is fixed.
Until an update is applied, restrict access to the publicly-accessible admin-ajax endpoint to trusted users only, as the flaw allows unauthenticated attackers to approve bookings with 'waiting' status by sending crafted requests to this endpoint.