CVE-2026-6449
Deferred Deferred - Pending Action
Improper Authorization in Amelia WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6449
EUVD
EUVD-2026-26758
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpamelia amelia to 2.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability exists in all versions of the Booking for Appointments and Events Calendar – Amelia plugin for WordPress up to and including version 2.1.2. Immediate mitigation steps include updating the plugin to a version later than 2.1.2 where the authorization logic flaw is fixed.

Until an update is applied, restrict access to the publicly-accessible admin-ajax endpoint to trusted users only, as the flaw allows unauthenticated attackers to approve bookings with 'waiting' status by sending crafted requests to this endpoint.

Executive Summary

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress has a vulnerability due to improper authorization in all versions up to and including 2.1.2.

This vulnerability arises from a logical short-circuit flaw in the authorization logic that causes token validation to be completely skipped when a booking is in a 'waiting' status.

As a result, unauthenticated attackers can approve any booking that is in 'waiting' status by sending a specially crafted request to the publicly accessible admin-ajax endpoint.

Impact Analysis

This vulnerability allows unauthenticated attackers to approve bookings without proper authorization.

Such unauthorized approvals could lead to fraudulent bookings or manipulation of appointment schedules.

This could disrupt business operations, cause financial loss, or damage trust with customers relying on the booking system.

Compliance Impact

The vulnerability allows unauthenticated attackers to approve bookings with a 'waiting' status due to improper authorization and token validation bypass.

While the CVE description does not explicitly mention compliance impacts, such unauthorized approval could lead to unauthorized data manipulation or access, potentially affecting data integrity and control.

This could have implications for compliance with standards like GDPR or HIPAA, which require strict access controls and data integrity safeguards, but no direct compliance impact is detailed in the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart