{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14720", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-15T14:10:14.139Z", "datePublished": "2026-01-09T06:34:54.137Z", "dateUpdated": "2026-01-09T19:10:22.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T06:34:54.137Z"}, "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.2.38", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things."}], "title": "Booking for Appointments and Events Calendar \u2013 Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-12-12T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2025-12-15T14:26:33.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T17:39:35.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:07:40.308973Z", "id": "CVE-2025-14720", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:10:22.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:07:40.308973Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:10:19.414Z"}}], "cna": {"title": "Booking for Appointments and Events Calendar \u2013 Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.38"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-12-15T14:26:33.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T17:39:35.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T06:34:54.137Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14720", "state": "PUBLISHED", "dateUpdated": "2026-01-09T19:10:22.011Z", "dateReserved": "2025-12-15T14:10:14.139Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T06:34:54.137Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things."}], "id": "CVE-2025-14720", "lastModified": "2026-01-09T07:16:01.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-01-09T07:16:01.153", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"created": "2026-01-09T13:23:46.241639+00:00", "updated": "2026-01-09T13:23:46.241667+00:00", "vendors": ["ameliabooking", "ameliabooking$PRODUCT$booking_for_appointments_and_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}