Booking for Appointments and Events Calendar Vulnerability – Amelia – Cross-Site Request Forgery – CVE-2024-31425 | WordPress Plugin Vulnerability Report
Plugin Name: Booking for Appointments and Events Calendar – Amelia
Key Information:
- Software Type: Plugin
- Software Slug: ameliabooking
- Software Status: Active
- Software Author: ameliabooking
- Software Downloads: 602,133
- Active Installs: 60,000
- Last Updated: April 24, 2024
- Patched Versions: 1.0.96
- Affected Versions: <= 1.0.95
Vulnerability Details:
- Name: Amelia <= 1.0.95
- Title: Cross-Site Request Forgery
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVE: CVE-2024-31425
- CVSS Score: 4.3
- Publicly Published: April 10, 2024
- Researcher: beluga
- Description: The Amelia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.95. This vulnerability is caused by missing or incorrect nonce validation on a critical function, allowing unauthenticated attackers to execute unauthorized actions via a forged request if they can deceive a site administrator into clicking a link.
Summary:
The Amelia plugin for WordPress, crucial for managing bookings and appointments, has a vulnerability in versions up to and including 1.0.95 that permits unauthorized actions through forged requests due to inadequate nonce validation. This issue has been addressed in the recently released patch version 1.0.96.
Detailed Overview:
The vulnerability poses a significant risk as it exploits the trust relationship between the website and the user's browser, allowing attackers to manipulate the plugin's functionality. This could potentially result in changes to appointment settings, calendar events, or other critical configurations without the administrator's knowledge. The vulnerability has been patched by improving nonce validation in version 1.0.96, effectively mitigating the risk and securing the plugin against similar attack vectors.
Advice for Users:
- Immediate Action: Users of the Amelia plugin should update to the patched version 1.0.96 immediately to protect their sites from potential CSRF attacks.
- Check for Signs of Vulnerability: Administrators should review their site’s logs for any unusual activity or unauthorized changes in appointments and event settings that could indicate this vulnerability was exploited.
- Alternate Plugins: While the patched version addresses the current vulnerability, users may consider evaluating other booking and calendar plugins with strong security track records as additional precautions.
- Stay Updated: Consistently updating plugins and other WordPress components is essential for maintaining site security and functionality, preventing vulnerabilities from being exploited.
Conclusion:
The rapid resolution of the CSRF vulnerability in the Amelia plugin highlights the importance of ongoing vigilance and prompt software updates. By adhering to the latest security practices and ensuring all components are up-to-date, WordPress site owners can safeguard their operations against emerging threats and maintain a trustworthy digital presence. This case serves as a reminder of the critical nature of nonce validation in securing web applications and the need for comprehensive security strategies in today's digital landscape.