Home

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-02 | Updated 2026-05-04 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-285 Improper Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-04-16:Vendor Notified
2026-05-01:Disclosed

Credits

Nicky Dev finder

References

www.wordfence.com/...-eeba-497f-9e11-79d4bebdd7a2?source=cve

plugins.trac.wordpress.org/...kingRemotelyCommandHandler.php

plugins.trac.wordpress.org/...kingRemotelyCommandHandler.php

plugins.trac.wordpress.org/...eBookingRemotelyController.php

plugins.trac.wordpress.org/...eBookingRemotelyController.php

plugins.trac.wordpress.org/...ser/UserApplicationService.php

plugins.trac.wordpress.org/...ser/UserApplicationService.php

plugins.trac.wordpress.org/...abooking&sfp_email=&sfph_mail=

cve.org (CVE-2026-6449)

nvd.nist.gov (CVE-2026-6449)

Download JSON