1.0.48

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

tms-outsource

CWE-863

NVD

Published: 2022-04-04

Updated: 2022-06-03

Summary

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.

Vulnerable Configurations

Part	Description	Count
Application	Tms-Outsource TMS Outsource Amelia 1.0.46 TMS Outsource Amelia 1.0.47 TMS Outsource Amelia 1.0.48	3

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://wpscan.com/vulnerability/1a92a65f-e9df-41b5-9a1c-8e24ee9bf50e
https://plugins.trac.wordpress.org/changeset/2693545