CVE-2022-0837

MEDIUM

Amelia < 1.0.48 - Missing Authorization in SMS Service

Title source: llm
STIX 2.1

Description

The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/0882e5c0-f319-4994-9346-aa18438fda6a

Scores

CVSS v3 5.4
EPSS 0.0061
EPSS Percentile 44.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-862
Status published
Products (1)
tms-outsource/amelia < 1.0.48
Published Apr 04, 2022
Tracked Since Feb 18, 2026