Medium severity5.3NVD Advisory· Published May 2, 2026· Updated May 5, 2026
CVE-2026-6449
CVE-2026-6449
Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.phpnvd
- plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.phpnvd
- plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.2/src/Application/Services/User/UserApplicationService.phpnvd
- plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.phpnvd
- plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Controller/Booking/Appointment/ApproveBookingRemotelyController.phpnvd
- plugins.trac.wordpress.org/browser/ameliabooking/trunk/src/Application/Services/User/UserApplicationService.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/8d7cc468-eeba-497f-9e11-79d4bebdd7a2nvd
News mentions
5- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)Wordfence Blog · Apr 9, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026