Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Published: 2025-03-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure (Full Path Disclosure)
Action: Apply Patch
AI Analysis

Impact

The Amelia Booking for Appointments and Events Calendar plugin in WordPress contains an unauthenticated full path disclosure flaw in the wpAmeliaApiCall function. An attacker can retrieve absolute server paths via this endpoint. Although the disclosed information does not directly compromise data, it constitutes an information disclosure that can be leveraged to locate critical files and aid other attacks.

Affected Systems

Any WordPress site that runs the Amelia plugin version 1.2.19 or earlier is affected. The flaw exists in all releases up to and including 1.2.19 and is present in the plugin code base for WordPress installations that have not been updated beyond that version.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. An unauthenticated attacker can exploit the flaw by sending a request to wpAmeliaApiCall. The disclosed paths alone do not permit direct compromise, but the information can aid further attacks if another weakness exists.

Generated by OpenCVE AI on April 22, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amelia plugin to any version newer than 1.2.19, which removes the insecure wpAmeliaApiCall API.
  • If an upgrade is not immediately possible, restrict access to the wpAmeliaApiCall endpoint by requiring authentication or blocking it through web‑application firewall rules.
  • Ensure that PHP error reporting and debugging output that reveals file paths are disabled on the server to prevent accidental disclosure of path information.

Generated by OpenCVE AI on April 22, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8554 The Booking for Appointments and Events Calendar &#8211; Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
History

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Booking for Appointments and Events Calendar &#8211; Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Title Booking for Appointments and Events Calendar – Amelia <= 1.2.19 - Unauthenticated Full Path Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:22.670Z

Reserved: 2025-03-20T21:38:51.642Z

Link: CVE-2025-2578

cve-icon Vulnrichment

Updated: 2025-03-28T14:35:35.299Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T08:15:15.603

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses