CVE-2026-6449
published 2026-05-02CVE-2026-6449: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.46%
36.4th percentile
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ameliabooking | booking_for_appointments_and_events_calendar_amelia | <= 2.1.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ameliabooking Booking for Appointments and Events Calendar Plugin Request improper authorization (EUVD-2026-26758)
vuldb·2026-05-02·CVSS 5.3
CVE-2026-6449 [MEDIUM] ameliabooking Booking for Appointments and Events Calendar Plugin Request improper authorization (EUVD-2026-26758)
A vulnerability classified as critical has been found in ameliabooking Booking for Appointments and Events Calendar Plugin up to 2.1.2 on WordPress. Affected is an unknown function of the component Request Handler. The manipulation leads to improper authorization.
This vulnerability is documented as CVE-2026-6449. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-w8hw-gcrw-wj77: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and incl
ghsa_unreviewed·2026-05-02
CVE-2026-6449 [MEDIUM] CWE-285 GHSA-w8hw-gcrw-wj77: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and incl
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php#L97https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.php#L41https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Services/User/UserApplicationService.php#L647https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php#L97https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.php#L41https://plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Services/User/UserApplicationService.php#L647https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3516430%40ameliabooking&new=3516430%40ameliabooking&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/8d7cc468-eeba-497f-9e11-79d4bebdd7a2?source=cve
2026-05-02
Published