Skip to main content
CVE Vulnerability Database

CVE-2025-2578: Amelia WordPress Plugin Path Disclosure Flaw

CVE-2025-2578 is a full path disclosure vulnerability in the Amelia booking plugin for WordPress that allows unauthenticated attackers to retrieve application paths. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-2578 Overview

CVE-2025-2578 is a Full Path Disclosure vulnerability in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. All versions up to and including 1.2.19 are affected. The flaw resides in the wpAmeliaApiCall function, which returns error output containing the absolute server path of the web application. Unauthenticated attackers can trigger the disclosure over the network without user interaction. The exposed path does not directly compromise the site but provides reconnaissance data that supports chained exploitation. The weakness is classified under [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor].

Critical Impact

Unauthenticated remote attackers can retrieve the full filesystem path of the WordPress installation, aiding follow-on attacks such as local file inclusion or targeted exploitation of other vulnerabilities.

Affected Products

  • Booking for Appointments and Events Calendar – Amelia plugin for WordPress
  • All versions up to and including 1.2.19
  • WordPress sites using the Amelia booking functionality

Discovery Timeline

  • 2025-03-28 - CVE-2025-2578 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-2578

Vulnerability Analysis

The Amelia plugin exposes an AJAX-style entry point through the wpAmeliaApiCall function registered in ameliabooking.php. When the function processes malformed or unexpected input, PHP error handling generates output containing the absolute server path of the plugin file. The response is returned to the caller without sanitization or generic error replacement.

The issue is classified as an Information Disclosure vulnerability. The confidentiality impact is limited to path metadata, and the vulnerability does not affect integrity or availability. Exploitation succeeds without authentication or user interaction, since the API entry point is reachable by any anonymous HTTP client.

Attackers use disclosed paths to construct targeted payloads for other vulnerabilities. Full Path Disclosure commonly accelerates local file inclusion, log poisoning, and PHP object injection chains. The EPSS score is 0.364% at the 28.4 percentile, reflecting low observed exploitation activity.

Root Cause

The root cause is improper error handling in the request processing path invoked by wpAmeliaApiCall. The plugin relies on default PHP error output, which includes absolute file paths within stack traces or warning messages. The GetEntitiesCommandHandler.php handler at line 127 participates in the affected code path referenced by the vendor's changeset.

Attack Vector

Exploitation requires sending a crafted HTTP request to the WordPress endpoint that dispatches to the wpAmeliaApiCall function. Malformed parameters or unexpected input types cause the plugin to emit an error containing the disclosed path. No credentials, session tokens, or user interaction are required.

The vulnerability manifests through observable error responses rather than through executable code. See the Wordfence Vulnerability Analysis and the WordPress Changeset Update for the specific code changes that address the flaw.

Detection Methods for CVE-2025-2578

Indicators of Compromise

  • HTTP requests to WordPress endpoints invoking Amelia API actions with malformed or missing parameters
  • Response bodies containing absolute filesystem paths such as /var/www/html/wp-content/plugins/ameliabooking/
  • PHP warning or notice strings embedded in JSON or HTML responses from /wp-admin/admin-ajax.php
  • Repeated probing from a single source targeting ameliabooking action names

Detection Strategies

  • Inspect web server access logs for anomalous parameter sets sent to Amelia AJAX handlers
  • Deploy web application firewall rules that flag responses containing filesystem path patterns
  • Correlate reconnaissance requests to Amelia endpoints with subsequent exploitation attempts against other plugins
  • Baseline normal API request shapes and alert on deviations targeting the plugin

Monitoring Recommendations

  • Enable verbose logging on WordPress and reverse-proxy layers to capture full request and response metadata
  • Alert on HTTP responses from WordPress that leak /var/, /home/, or C:\\ path prefixes
  • Track the installed version of the Amelia plugin across managed WordPress sites
  • Monitor for scanner user agents probing WordPress plugin endpoints

How to Mitigate CVE-2025-2578

Immediate Actions Required

  • Update the Amelia plugin to a version later than 1.2.19 that includes the fix from WordPress Changeset 3261318
  • Disable PHP display_errors in production to suppress path disclosure through error output
  • Review web server and PHP-FPM configurations to route errors to log files rather than HTTP responses
  • Audit recent logs for prior reconnaissance targeting the wpAmeliaApiCall endpoint

Patch Information

The vendor resolved the issue in the changeset published at WordPress Changeset Update. Site operators should upgrade the Amelia plugin through the WordPress plugin manager and verify the installed version exceeds 1.2.19. Refer to the WordPress Plugin Code Reference and WordPress Plugin Command Handler for the affected source locations.

Workarounds

  • Set display_errors = Off and log_errors = On in php.ini until the plugin is patched
  • Deploy a WAF rule that strips or blocks response bodies containing absolute filesystem paths
  • Restrict access to Amelia API endpoints via IP allowlisting where booking traffic is predictable
  • Temporarily disable the Amelia plugin on sites where booking functionality is not actively required
bash
# Configuration example: suppress PHP error output in production
# /etc/php/8.2/fpm/php.ini
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /var/log/php/php_errors.log
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

# Reload PHP-FPM after applying changes
sudo systemctl reload php8.2-fpm

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.