cleantalk
Vulnerabilities and Security Researches

Booking for Appointments and Events Calendar – Amelia, CVE-2025-14720

CVE, Research URL

CVE-2025-14720

Home page URL

Security reports for Booking for Appointments and Events Calendar – Amelia

Application

Booking for Appointments and Events Calendar – Amelia

Published on
Jan 09, 2026
Research Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
Affected versions
max 2.0.0.
Status
vulnerable
Previous vulnerability researches
Booking for Appointments and Events Calendar – Amelia (CVE-2025-14720) , Jan 27, 2026
Booking for Appointments and Events Calendar – Amelia (CVE-2026-24967) , Mar 29, 2026
Booking for Appointments and Events Calendar – Amelia (CVE-2026-24963) , Mar 29, 2026
Booking for Appointments and Events Calendar – Amelia (CVE-2024-22298) , Jun 10, 2024
Booking for Appointments and Events Calendar – Amelia (CVE-2024-6225) , Jun 22, 2024
New vulnerability
Subscriptions for WooCommerce – Subscription Plugin for Collecting Recurring Revenue, Sell Membership Subscription Servic (CVE-2026-24372) , Mar 29, 2026
Meta Box – WordPress Custom Fields Framework (CVE-2025-14675) , Mar 29, 2026
Admin and Site Enhancements (ASE) (CVE-2026-32423) , Mar 29, 2026
Royal Elementor Addons and Templates (CVE-2026-28135) , Mar 29, 2026
Royal Elementor Addons and Templates (CVE-2025-13067) , Mar 29, 2026