Amelia
Monthly
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.
Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.
Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.
Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar - Amelia allows Stored XSS.0.85. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in Appointment and Event Booking Calendar for WordPress - Amelia versions prior to 1.0.76 allows a remote unauthenticated attacker to inject an arbitrary script by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.
Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.
Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.
Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.
Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar - Amelia allows Stored XSS.0.85. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in Appointment and Event Booking Calendar for WordPress - Amelia versions prior to 1.0.76 allows a remote unauthenticated attacker to inject an arbitrary script by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.