Impact
Unauthenticated Sensitive Data Exposure in the WordPress Amelia plugin version 2.2 and earlier allows an attacker to retrieve confidential information without authentication. The vulnerability arises from inadequate access controls when handling sensitive data, corresponding to CWE-201. The primary consequence is a confidentiality breach, with an attacker potentially gaining access to customer booking details or personal information stored by the plugin.
Affected Systems
The affected product is the WordPress Amelia booking plugin in versions 2.2 or earlier, deployed on WordPress websites. Any site running these versions is susceptible to the exposed data flaw.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploits. Based on the description, the likely attack vector is any network-accessible endpoint of the Amelia plugin that serves sensitive data without requiring authentication.
OpenCVE Enrichment