Ameliabooking Booking For Appointments And Events Calendar Amelia vulnerabilities
13 known vulnerabilities affecting ameliabooking/booking_for_appointments_and_events_calendar_amelia.
Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
HIGH3MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2026-2931P2HIGHCVSS 8.8Exploited≤ 9.1.22026-03-26
CVE-2026-2931 [HIGH] CWE-269 CVE-2026-2931: The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versio
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or a
nvd
CVE-2026-5465P2HIGHCVSS 8.8≤ 2.1.32026-04-07
CVE-2026-5465 [HIGH] CWE-639 CVE-2026-5465: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Inse
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` m
nvd
CVE-2025-12482P3HIGHCVSS 7.5≤ 1.2.352025-11-16
CVE-2025-12482 [HIGH] CWE-89 CVE-2025-12482: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacker
nvd
CVE-2026-4668P3MEDIUMCVSS 6.5≤ 2.1.22026-04-01
CVE-2026-4668 [MEDIUM] CWE-89 CVE-2026-4668: The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of sufficient preparation on the existing SQL query in `Pa
nvd
CVE-2024-6332P3MEDIUMCVSS 6.5≤ 1.2.42024-09-05
CVE-2024-6332 [MEDIUM] CWE-862 CVE-2024-6332: The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are
The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.4. This makes it possible for unauthenticated attackers to access employee
nvd
CVE-2026-6449P4MEDIUMCVSS 5.3≤ 2.1.22026-05-02
CVE-2026-6449 [MEDIUM] CWE-285 CVE-2026-6449: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Impr
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unau
nvd
CVE-2025-14720P4MEDIUMCVSS 5.3≤ 1.2.382026-01-09
CVE-2025-14720 [MEDIUM] CWE-862 CVE-2025-14720: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unau
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/
nvd
CVE-2024-6552P4MEDIUMCVSS 5.3≤ 1.22024-08-08
CVE-2024-6552 [MEDIUM] CWE-200 CVE-2024-6552: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web applicatio
nvd
CVE-2025-2578P4MEDIUMCVSS 5.3≤ 1.2.192025-03-28
CVE-2025-2578 [MEDIUM] CWE-200 CVE-2025-2578: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable t
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The informat
nvd
CVE-2022-0834P4MEDIUMCVSS 5.4≤ 1.0.462022-03-23
CVE-2022-0834 [MEDIUM] CWE-79 CVE-2022-0834: The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and s
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar w
nvd
CVE-2023-6808P4MEDIUMCVSS 5.4≤ 1.0.932024-02-05
CVE-2023-6808 [MEDIUM] CWE-79 CVE-2023-6808: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stor
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor
nvd
CVE-2024-1484P4MEDIUMCVSS 6.1≤ 1.0.982024-03-13
CVE-2024-1484 [MEDIUM] CWE-79 CVE-2024-1484: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Refl
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that
nvd
CVE-2024-6225P4MEDIUMCVSS 4.8≤ 1.1.52024-06-21
CVE-2024-6225 [MEDIUM] CWE-79 CVE-2024-6225: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stor
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve
nvd