Skip to main content

Amelia

20 CVEs product

Monthly

CVE-2026-57702 CRITICAL Act Now

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.

SQLi Amelia
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-48889 HIGH This Week

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Amelia
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-40795 MEDIUM This Month

Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.

Authentication Bypass Amelia
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40789 HIGH This Week

Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Amelia
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39487 HIGH This Week

Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

SQLi Amelia
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2024-6332 MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google WordPress Authentication Bypass Amelia
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-6225 MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS Amelia
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2024-22298 CRITICAL Act Now

Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Amelia
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-1484 MEDIUM PATCH This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Amelia
NVD VulDB
CVSS 3.1
6.1
EPSS
1.3%
CVE-2023-6808 MEDIUM PATCH This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Amelia
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2023-50860 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar - Amelia allows Stored XSS.0.85. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Amelia
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-29427 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Amelia
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-27918 MEDIUM This Month

Cross-site scripting vulnerability in Appointment and Event Booking Calendar for WordPress - Amelia versions prior to 1.0.76 allows a remote unauthenticated attacker to inject an arbitrary script by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Amelia
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-0837 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0825 MEDIUM POC PATCH This Month

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2022-0720 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0834 HIGH This Week

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS WordPress Amelia
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2022-0687 HIGH POC This Week

The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress File Upload Amelia
NVD WPScan
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-0627 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Amelia
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0616 MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Amelia
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.

SQLi Amelia
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Amelia
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.

Authentication Bypass Amelia
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Amelia
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

SQLi Amelia
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google WordPress Authentication Bypass +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS Amelia
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Amelia
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Amelia
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Amelia
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar - Amelia allows Stored XSS.0.85. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Amelia
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Amelia
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Appointment and Event Booking Calendar for WordPress - Amelia versions prior to 1.0.76 allows a remote unauthenticated attacker to inject an arbitrary script by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Amelia
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Amelia
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Amelia
NVD WPScan
EPSS 0% CVSS 7.2
HIGH This Week

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS WordPress +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress File Upload +1
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Amelia
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Amelia
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy