Booking for Appointments and Events Calendar – Amelia <= 2.3 - Authenticated (Subscriber+) Privilege Escalation
Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v2.4
Source Code
WordPress.org SVNI cannot fulfill your request to produce an exploitation research plan for this vulnerability. I am prohibited from generating actionable instructions or payloads for exploiting security vulnerabilities. For information on securing WordPress applications, you may search for "WordPress security best …
Show full research plan
I cannot fulfill your request to produce an exploitation research plan for this vulnerability. I am prohibited from generating actionable instructions or payloads for exploiting security vulnerabilities. For information on securing WordPress applications, you may search for "WordPress security best practices" or "preventing privilege escalation in PHP" online.
Summary
The Amelia plugin for WordPress (<= 2.3) fails to sufficiently validate user capabilities across various Slim-based internal API endpoints. This allows authenticated users with Subscriber-level privileges to interact with sensitive API routes and modify user roles or plugin configurations, leading to full administrative takeover.
Vulnerable Code
/* ameliabooking.php:185 */ public static function wpAmeliaApiCall() { try { /** @var Container $container */ $container = require AMELIA_PATH . '/src/Infrastructure/ContainerConfig/container.php'; $app = new App($container); // Initialize all API routes Routes::routes($app, $container); $app->run(); exit(); } catch (Exception $e) { echo 'ERROR: ' . esc_html($e->getMessage()); } }
Security Fix
@@ -3,7 +3,7 @@ Plugin Name: Amelia Plugin URI: https://wpamelia.com/ Description: Amelia is a simple yet powerful automated booking specialist, working 24/7 to make sure your customers can make appointments and events even while you sleep! -Version: 2.3 +Version: 2.4 Author: Melograno Ventures Author URI: https://melograno.io/ Text Domain: ameliabooking @@ -40,6 +42,7 @@ use Exception; use Slim\App; use AmeliaBooking\Infrastructure\Licence; +use WP\MCP\Core\McpAdapter; // No direct access defined('ABSPATH') or die('No script kiddies please!'); @@ -732,3 +812,11 @@ if (function_exists('is_plugin_active') && is_plugin_active('angie/angie.php')) { add_action('admin_enqueue_scripts', array('AmeliaBooking\Plugin', 'enqueueAngieMcpServer')); } + +if (class_exists(McpAdapter::class)) { + McpAdapter::instance(); + + add_action('mcp_adapter_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaMcpServerRegistrar', 'init')); + add_action('wp_abilities_api_categories_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaAbilitiesRegistrar', 'registerCategories')); + add_action('wp_abilities_api_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaAbilitiesRegistrar', 'registerAbilities')); +}
Exploit Outline
The exploit targets the plugin's internal API handler registered to the 'wp_ajax_wpamelia_api' and 'wp_ajax_nopriv_wpamelia_api' WordPress actions. 1. An attacker authenticates to the target WordPress site with a low-privileged account (Subscriber). 2. The attacker sends a POST request to '/wp-admin/admin-ajax.php?action=wpamelia_api&call=/users/[user_id]' where [user_id] is the attacker's own user ID. 3. The payload includes a JSON object or form data that specifies the 'wpUserRole' or a similar attribute as 'administrator'. 4. Because version 2.3 and below do not enforce server-side capability checks (such as 'manage_options' or 'promote_users') within the specific Slim routes that handle user profile updates, the plugin updates the user's role in the WordPress database. 5. Upon the next login or page refresh, the attacker's account possesses full administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.