CVE-2022-0837
MEDIUMAmelia < 1.0.48 - Missing Authorization in SMS Service
Title source: llmDescription
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/0882e5c0-f319-4994-9346-aa18438fda6a
Scores
CVSS v3
5.4
EPSS
0.0061
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-862
Status
published
Products (1)
tms-outsource/amelia
< 1.0.48
Published
Apr 04, 2022
Tracked Since
Feb 18, 2026