CVE-2026-6449: Amelia WordPress Plugin Auth Bypass Flaw

CVE-2026-6449 Overview

CVE-2026-6449 is an Improper Authorization vulnerability [CWE-285] in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. The flaw affects all versions up to and including 2.1.2. A logical short-circuit in the authorization logic causes token validation to be skipped when a booking has a waiting status. Unauthenticated attackers can approve any booking in waiting status by sending a crafted request to the publicly-accessible admin-ajax.php endpoint.

Critical Impact

Unauthenticated attackers can manipulate booking workflow integrity by approving pending bookings without possessing the validation token, undermining trust in the appointment management system.

Affected Products

• Booking for Appointments and Events Calendar – Amelia plugin for WordPress
• All versions up to and including 2.1.2
• WordPress sites exposing the plugin's admin-ajax.php endpoint

Discovery Timeline

• 2026-05-02 - CVE-2026-6449 published to the National Vulnerability Database (NVD)
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-6449

Vulnerability Analysis

The vulnerability resides in the remote booking approval flow handled by ApproveBookingRemotelyController.php and ApproveBookingRemotelyCommandHandler.php. The authorization workflow uses a token to confirm that a request to approve a booking originates from a legitimate party. However, the validation logic short-circuits when the booking's status is waiting, bypassing the token check entirely.

The issue manifests in UserApplicationService.php where conditional logic returns success without verifying the supplied token under specific status conditions. This allows the request to proceed to the approval handler regardless of the token's authenticity. Attackers reach this code path through the unauthenticated admin-ajax.php endpoint that the plugin registers.

The attack does not require credentials, user interaction, or elevated privileges. The impact is limited to integrity of booking records — confidentiality and availability are not directly affected.

Root Cause

The root cause is a flawed conditional in the authorization service that treats a waiting booking status as sufficient grounds to grant access. The logic was likely intended to permit a benign workflow path but was placed before the token comparison, eliminating the security check it was meant to complement.

Attack Vector

An unauthenticated remote attacker sends a crafted HTTP POST request to /wp-admin/admin-ajax.php invoking the Amelia approval action. The request specifies a target booking identifier whose status is waiting. Because token validation is skipped, the plugin marks the booking as approved. Attackers can enumerate or guess booking IDs to mass-approve pending appointments.

// No verified proof-of-concept code is publicly available.
// Refer to the WordPress plugin source references and the Wordfence advisory
// for the precise vulnerable code paths in:
//   - ApproveBookingRemotelyController.php (line 41)
//   - ApproveBookingRemotelyCommandHandler.php (line 97)
//   - UserApplicationService.php (line 647)

Detection Methods for CVE-2026-6449

Indicators of Compromise

• Unexpected booking state transitions from waiting to approved without a corresponding authenticated administrator session.
• POST requests to /wp-admin/admin-ajax.php referencing the Amelia approve booking action originating from unauthenticated clients.
• Bookings approved outside of normal business hours or from atypical IP ranges.
• Spikes in admin-ajax.php request volume from a single source targeting Amelia endpoints.

Detection Strategies

• Inspect web server access logs for repeated POST requests to admin-ajax.php carrying the Amelia approval action parameter without an authenticated wordpress_logged_in_* cookie.
• Correlate Amelia booking audit entries against WordPress user session logs to identify approvals lacking a valid administrator session.
• Deploy WordPress application firewall rules that flag requests to the vulnerable action with missing or malformed token parameters.

Monitoring Recommendations

• Forward WordPress and web server logs to a centralized SIEM such as Singularity Data Lake for retention and correlation across booking workflows.
• Alert on bulk approval events affecting multiple bookings within a short time window.
• Track outbound notifications generated by approved bookings to detect spam or social engineering side-effects.

How to Mitigate CVE-2026-6449

Immediate Actions Required

• Update the Amelia plugin to a version newer than 2.1.2 as soon as the vendor publishes a fix.
• Audit all bookings currently in approved status that previously held waiting status to identify unauthorized approvals.
• Restrict access to /wp-admin/admin-ajax.php at the web application firewall layer where business requirements allow.

Patch Information

Review the WordPress ChangeSet Overview for the upstream commit addressing this issue. Refer to the Wordfence Vulnerability Report for vendor remediation details and apply the latest available plugin release through the WordPress admin dashboard.

Workarounds

• Temporarily disable the Amelia plugin if booking approval is not actively required.
• Add a web application firewall rule that blocks unauthenticated requests to the Amelia approve booking AJAX action.
• Manually transition bookings out of waiting status more frequently to reduce the window of exploitable records.
• Monitor and revert any unauthorized approvals discovered during ongoing audits.

# Example WAF rule (ModSecurity-style) to block unauthenticated
# requests to the vulnerable Amelia AJAX action.
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1026644901,\
    msg:'Block Amelia approveBookingRemotely without auth cookie'"
  SecRule ARGS:action "@streq wpamelia_api" "chain"
  SecRule ARGS "@contains approveBookingRemotely" "chain"
  SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"