CVE-2026-6449— WordPress plugin Booking for Appointments and Events Calendar – Amelia 授权问题漏洞

Booking for Appointments and Events Calendar – Amelia <= 2.1.2 - Unauthenticated Authorization Bypass via Remote Approval Endpoint

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a 'waiting' status. This makes it possible for unauthenticated attackers to approve any booking that is in 'waiting' status by sending a crafted request to the publicly-accessible admin-ajax endpoint.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

授权机制不恰当

WordPress plugin Booking for Appointments and Events Calendar – Amelia 授权问题漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Booking for Appointments and Events Calendar – Amelia 2.1.2及之前版本存在授权问题漏洞，该漏洞源于授权逻辑短路缺陷，可能导致未经身份验证的攻击者批准等待状态的

N/A

N/A