CVE-2023-49282 – Amelia  – Exposed phpinfo() via Microsoft Graph SDK test file bundled in the Amelia Booking plugin – POC

CVE-2023-49282 is an information disclosure issue that can surface in real WordPress environments when third-party dependencies ship test artifacts inside production packages and the hosting setup permits direct web access to those files. In the Amelia Booking plugin (“ameliabooking”), the Microsoft Graph PHP SDK is bundled under vendor/, and that SDK historically included a test script named tests/GetPhpInfo.php that calls phpinfo() unconditionally; if a site’s web server allows requests into the plugin’s dependency tree, an unauthenticated visitor can retrieve a full phpinfo()page from a predictable URL path. The underlying weakness described in public advisories is specifically the presence of this callable test code at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php, and exploitation depends on the application being able to access and execute that path from the web layer.

CVE	CVE-2023-49282
Plugin Version	Amelia 1.2.18 – 1.2.36
Critical	High
All Time	1 234 222
Active installations	90 000+
Publicly Published	November 18, 2025
Last Updated	November 18, 2025
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49282 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ameliabooking/amelia-1218-1236-unauthenticated-sensitive-information-exposure
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

At its core, the vulnerability is not “Amelia code executing something dangerous,” but rather “Amelia shipping a dependency tree that contains an executable diagnostic page,” combined with deployment realities in which /wp-content/plugins/.../vendor/ is not adequately restricted. The Microsoft Graph PHP SDK advisory explains the impact plainly: published packages contained test code enabling the use of phpinfo() from any application that can access and execute vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. In WordPress plugin ecosystems, this pattern is common because plugin authors bundle Composer dependencies; once those dependencies contain public test files, the question becomes whether your web server configuration (and any security middleware) treats vendor/ as private application internals or as routable public content. The NVD entry for CVE-2023-49282 emphasizes this same mechanism and frames exploitability around whether the file can be reached and executed in a deployed environment. 

Understanding of Sensitive Data Exposure attack’s

Sensitive data exposure in WordPress is rarely a single “magic bug”. It is more often a chain where a seemingly low-impact disclosure dramatically improves an attacker’s ability to choose the right follow-on technique. A phpinfo() page is a textbook example because it reveals not only versions and modules (useful for exploit targeting and compatibility checks), but also filesystem paths, configuration flags, and request/server variables; in some deployments, environment variables and secrets may be present, which is exactly why advisories categorize this as an information exposure risk rather than “just a harmless debug page.” In WordPress specifically, real-world sensitive exposure patterns often include publicly accessible backups (for example wp-config.php~, .zip exports, or mislocated migrations), directory listings under plugin asset folders, verbose error output and stack traces, open debug logs, and “leftover” dev/test endpoints that were never meant to be internet-facing; all of these are frequently benign in isolation, yet they reduce uncertainty and accelerate exploitation when combined with known plugin/theme weaknesses. CVE-2023-49282 fits that same operational reality: the harm is not theoretical – phpinfo() is a high-fidelity inventory of a target’s runtime.

Exploiting the SSRF Vulnerability

To exploit CVE-2023-49282, an attacker without cookies:

POC:

/wp-content/plugins/ameliabooking/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

____

Recommendations for Improved Security

Remediation should focus on eliminating the reachable diagnostic surface and preventing similar dependency artifacts from being web-accessible in the future. First, remove or block access to the specific test file path in production—either by deleting vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php from deployed builds (and ensuring your build pipeline does not reintroduce it) or by adding server rules that deny requests into dependency/test directories under plugins, particularly any vendor/, tests/, test/, examples/, docs/, and similar folders. Second, update the embedded dependency to a version that does not ship this vulnerable test behavior, aligning with the Microsoft Graph SDK security advisory guidance and the NVD record for CVE-2023-49282. Third, adopt a policy that production releases should not contain test suites from third-party libraries: Composer can be configured to prefer dist packages and exclude dev/test artifacts where possible, and CI can run a simple “forbidden paths” check (e.g., fail builds when tests/GetPhpInfo.php or similar signatures are present). Finally, treat this as a hardening signal: even when a plugin is otherwise well-designed, dependency hygiene and web server path controls are what prevent “debug leftovers” from becoming public endpoints.

By taking proactive measures to address Sensitive Data Exposure vulnerabilities like CVE-2023-49282 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.