Description
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/435ef99c-9210-46c7-80a4-09cd4d3d00cf
Scores
CVSS v3
5.4
EPSS
0.0061
EPSS Percentile
44.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-863
Status
published
Products (1)
tms-outsource/amelia
< 1.0.47
Published
Mar 28, 2022
Tracked Since
Feb 18, 2026