Description
Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Sensitive Data Exposure in the WordPress Amelia plugin version 2.2 and earlier allows an attacker to retrieve confidential information without authentication. The vulnerability arises from inadequate access controls when handling sensitive data, corresponding to CWE-201. The primary consequence is a confidentiality breach, with an attacker potentially gaining access to customer booking details or personal information stored by the plugin.

Affected Systems

The affected product is the WordPress Amelia booking plugin in versions 2.2 or earlier, deployed on WordPress websites. Any site running these versions is susceptible to the exposed data flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploits. Based on the description, the likely attack vector is any network-accessible endpoint of the Amelia plugin that serves sensitive data without requiring authentication.

Generated by OpenCVE AI on June 18, 2026 at 03:25 UTC.

Remediation

Vendor Solution

Update the WordPress Amelia Plugin to the latest available version (at least 2.2.1).


OpenCVE Recommended Actions

  • Upgrade the WordPress Amelia plugin to version 2.2.1 or newer, as recommended by the vendor.
  • If upgrading is temporarily infeasible, restrict unauthenticated access to the plugin’s API endpoints by applying firewall rules or network segmentation.
  • Alternatively, temporarily disable the plugin or remove its public-facing functionalities until a patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Tms
Tms amelia
Wordpress
Wordpress wordpress
Vendors & Products Tms
Tms amelia
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.
Title WordPress Amelia plugin <= 2.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:28:53.369Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40789

cve-icon Vulnrichment

Updated: 2026-06-16T01:28:48.800Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:51.180

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:28Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data