CVE-2022-0825

Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update

EPSS 0.8%CWE-863

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Apr 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.

Affected products

Unknown · Amelia – Events & Appointments Booking Calendar

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2693545 https://wpscan.com/vulnerability/1a92a65f-e9df-41b5-9a1c-8e24ee9bf50e